Transcript for:

hey this is Andrew Brown over here on free Camp bringing you another free Cloud certification study course and this time we are looking at the ads Cloud practitioner also known as the CF C02 and the way we're going to achieve ads certification is through lectur content Hands-On labs and as always I provide you a full free practice exam the best way to support uh more free study courses like this one is to purchase the optional paid additional materials it's going to help you on your exam and it's going to allow me to produce more of these uh great Cloud uh certification study courses if you don't know me I'm Andrew Brown and this is the fourth time I've taught this uh certification so it's really refined at this point and I've taught a bit of everything in the cloud so we've looked at adabs Azure gcp terraform kuber dedes you name it I've taught it uh but that's about it and I will see you in class in the next video ciao hey this is Angie Brown and we are at the start of our journey asking the most important question first which is what is the adus cloud practitioner well it's ad's entry level certification that's going to teach you things like the cloud fundamentals so we're talking cloud Concepts architectures deployment models it's a close look at adus core Services which would be our compute our storage our Network our databases and it's a quick look at the vast amount of adus services and functionality around adus so we're looking at identity security billing pricing support and a lot more stuff and we'll get into that in the course and we'll even look at the exam guide outline but uh yeah there is a lot of stuff um the course code for this certification is now the clf C02 the old one was the c01 uh the way to know if there is a new course is if this becomes the c03 if you see that then this course um may be out of date um but uh yeah right now it's a C02 um often people refer to this certification as the CCP to stand for the certified clock practitioner how you want to refer to it is up to you but uh there are a few ways of describing this certification I want to point out that adus is the leading cloud service provider in the world and the cloud practitioner is the most common starting point for people breaking into the cloud so even if you're going to uh utilize another cloud service provider I'm just going to say that you're going to get a really good uh Foundation with this certification even if it's not the uh same provider uh so who is the certification for well consider the cloud practitioner if you are new to cloud and you're learning the fundamentals you are at the executive management or sales level and you need to acquire strategic information about Cloud for adoption or migration or you are a senior Cloud engineer or Solutions architect who needs to reset or refresh their adus knowledge after working uh with cloud services or adus for multiple years um it's always a surprise that when I come back and I refresh this course uh the things that have changed and it's very easy to uh miss those things so yeah this this certification is for everybody so what is the value of the certification well this uh certification provides the most expansive view possible of cloud architecture and ads it uh we I would describe this as having a bird's eye view or the 50,000 ft view so with that in mind uh the idea here is to promote big pictures thinking we're zooming out and assessing the cloud or itus landscape for things like changes Trends opportunities um and it's important to understand about being strategic about the approach and process for your journey and that's why I like the certification so much and I strongly uh recommend it for everybody's Journey so what is the value of the certification well it's not a difficult exam uh it's it's not going to validate that you can build Cloud workloads so if you are trying to obtain a technical te implementation role like develop Cloud developer Cloud engineer devops engineer uh it's not going to be enough to attain those technical Cloud roles um but it could help short list your resume for interviews um the exam covers content not found in other certifications so it is recommended as an essential study guide uh for your adus journey do not skip this one uh some people like to go straight to the solution to architect and then they realize that they didn't set a good foundation or they just have gaps uh in their knowledge which could really help out in their careers so really do not skip this one um I like to make these road maps to give you an idea uh in terms of where you can go after this certification so here is uh all the certifications currently that AOS has notice that I have the data engineer it's a really small one it just became uh came out as a baa exam it's not as hard as the professionals it's just where I place it on this diagram um but the idea is that we have a lot of different ways that we can navigate or uh work through these certifications and these can generally map to particular roles in the cloud so uh very often people go right to the uh Solutions architect I'm just getting my pen out here but very often this is the approach that'll go straight to here uh right after the solution architect because they're very similar um in terms of uh scope and Challenge and difficulty where the solution architect is a broad certification just like the cloud pratitioner but it's more focused on the technical knowledge uh whereas this one of course is much more broad the cloud and then after that people will generally go for the developer or the CIS office administrator in my personal opinion I really do think that people should study all three Associates and do all three Associates at the same time uh because really I don't find that uh it makes sense to leave out the ssops admin or developer knowledge um it's just the way that itus Engineers their certifications but when you go to other ones like let's say Google they only have one associate and they have all the um they call Cloud engineer and it has everything in it and so again I just feel like you should take all three but you decide what works for you um and you know you can see that there are various routes but I want to just make it very clear that certifications do not validate programming they do not uh make you do technical diagramming they don't necessarily make you do code management and there's many other technical skills that are required for obtaining technical roles like these roles um and that is not the purpose of certification certification is supposed to give you knowledge specifically on AWS and so just understand that you need to make sure you get those skills uh somewhere else I do try to uh slot in a lot of these uh technical skills uh where I can and so if you're uh if we're doing something in the course and you're wondering why are we doing this when it's not on the certification it's because I'm trying to give you those adjacent skills uh so that you are successful um in the future okay so how long does it take to uh study to pass this exam well depends right it depends but if you're a beginner we're probably looking at 30 hours so this is someone who's never used databus or cloud provider before uh you've never written code or had a technical role if you're experienced uh your study time is going to be very low like as low as 6 hours even lower uh if possible um especially if you've already taken the certification I sat it um uh blind right I didn't look up anything and I passed it no problem um but uh so it says here you know if we've practiced we have experience working with ads if we have an equivalent experience in another cloud service provider some people are coming over from Azure or gcp so they can kind of map their knowledge over to Ada of us or if they have a strong background in technology uh you might really be already familiar with these kind of offerings from another uh like from another discipline and so your study time can be really low but I would say that um you know the average study time is probably 24 hours so yes it's closer to the beginner level but that's the average study time that we found in and so it's basically a split between 50 lectures and Labs so labs are Hands-On skills and 50% with practice exams uh a lot of people forget that practice exams are part of the study process so make sure that you do do that uh we do recommend a study a study time of one to two hours a day uh for 14 days uh what does it take to pass the exam we're still going on with this here but you know you have to watch those lecture videos and memorize key information this is a knowledge based exam it's not a uh it does not test your skills so knowledge is key here uh you should do Hands-On Labs we call those follow alongs within your own account uh this is just going to help uh cement the knowledge in your head it really makes a a huge difference so really do those Hands-On labs and get practice exams to simulate the real exam you absolutely need to do this because if you don't you're going to find that you did all the study materials and then uh the exam is its own uh Beast so make sure that you go get some practice exams there's a lot lot of places that you can get get them from uh we offer a full free practice exam I think we're the only provider that does this but um we give you like a full free practice exam and we also have some paid ones so the best way to support this this content that we produce is to purchase our additional paid materials uh if you don't have the money that's okay we still have at least one full free practice exam to help you out you can find that over at exam pro. cfy C02 it looks like but it's a zero uh let's talk about the content outline so there are four domains and you have to understand that each domain has its own waiting this is going to determine how many questions in that domain will show up on your exam the first one is cloud Concepts so that's for 24% so we're looking at between 15 to 16 questions domain two is about security and compliance so that's 30% it's a a quite high up there so we have about 1920 questions for cloud Technologies and services it's 34% so understanding the offerings of adss is the most important thing in the exam it's the highest percentage here so we're going to definitely get 22 questions and then uh we have domain four so billing pricing and support where it's at 12% so we have eight questions not a lot for billing pricing support definitely important because it's very easy to get overbuild in the stuff but just you know point out that you need to know a wide range of adus services you need to know about core Services more in depth so where do you take this exam well you can take it at the um at an inperson test center or online from the convenience of your own home I personally like to take it in a test center if there is one near me I used to live in Toronto now I don't so there's no test centers near me and so I have to do it online it's just so much less stressful walking into a building and everything is uh controlled whereas at home you might have a lot of things going on and that can cause a lot of stress but you know do what makes sense for you so adus delivers the exams via Pearson View and so uh there's Pearson view they have the online system which you do uh you install on your computer and then they also have a network of test centers they partner with uh previously adabs also offered it via PSI um they don't do this anymore I'm not sure why they changed this before it was only PSI then they added Pearson and now they've dropped PSI so your only option is Pearson view I just want to point out what a prct exam means it means that it's it's someone is supervising uh your um your exam while you're taking it so you're not cheating so it's very common that when you check in they're going to ask to look around your room you might even have to talk to them uh and it's just again to make sure that what you do is um your exam was legit legit so when they issue your badge you know it's for real anyway let's talk about grading here so the passing grade here is 700 out of a a th000 points and so you need to get around 70% to pass ad of us like many other Cloud providers use scaled scoring so um that doesn't mean if you get exactly 70% that you'll pass but uh I mean more or less it works out to to be that okay so the response types uh we have here well first of all we have 65 questions and there are 50 questions that are scored and then there's 15 that are unscored and if that sounds bizarre I mean I I agree with you I think it's odd that they give you 15 unscored questions but the reason ads will do this is that they want to introduce new questions um to help test against the difficulty of the exam um because you know maybe some people know more than uh what they're expecting so they can adjust the difficulty of the exam I think that they use it as an anti-che mechanism as well but from the test taker it can get a bit stressful because you can get 15 really crazy wild questions that were not in your um uh course studies and it's just adab us testing things out and so I just want to point out don't get stressed out when you take this exam and you get a really funny question it's probably one of those unscored questions but on top of that you know there are 15 scored questions you can get wrong so you can get a total of 30 questions wrong on this exam and pass I just want to make that uh really clear there there is no penalty for wrong questions so absolutely always submit an answer and take your best guess the format of the questions are multiple choice and multiple answer so you know it's not too stressful in terms of the formatting of questions um there are again 15 unscored questions of the exam they will not count towards your final score why are there unscored questions uh they're there to evaluate the introduction of new questions they're there to determine if the exam is too easy and the passing score of the question difficulty needs to be increased to discover users who are attempting to cheat the exam or steal dump exam questions if you encounter questions you've never studied for uh that seem really hard keep your cool and remember that they may be unscored questions just really want to emphasize that there in terms of the duration you get 1.5 hours so you have about 1.5 minutes per question your exam time is 90 minutes your seat time is20 minutes what are we saying when we say seat time this is the time it takes uh or that you should allocate for the full exam uh that includes uh things like reviewing the instructions uh showing on uh showing the online Proctor your workspace reading accepting the NDA completing the exam provide the feedback at the exam so a lot of people go okay my exam starting or I have 90 or 90 minutes exam but really you want to show up 30 minutes prior uh because that checkin process can be really really stressful so you know just consider that uh the full scope of time you need to dedicate for these exams this uh certification is valid for 36 months so that's 3 years before recertification some other providers uh like Azure if you do the fundamentals it's forever um other ones have require you to refresh every year other ones um you don't have to take the full exam you have a reassessment that is free inabus likes to do it this way the nice thing though is that when you do pass a certification um somewhere ads allows you to get the next exam half off uh so at least there are cost saving mechanisms if you do pass an exam for the next follow-up certification but yeah uh that is pretty much a breakdown of uh the exam guide we will go and take a look at the actual exam guide so we can uh understand the full scope of what's in there uh but yeah we'll see you in the next one okay [Music] ciao hey everybody it's Andrew Brown and we are here on the training and certification page on the adus website and what I want to do here is I want to pull up the exam guide so that we can um make sure that we know exactly what it is that we're getting ourselves into uh we did cover this in summary in the previous video but uh I think it's always useful for you to know exactly where these things are adabs is always changing their marketing pages and I've already noticed a few changes here so um just understand that's the nature of cloud notice here that it's talking about the uh beta exam certification so even earlier we talked about the data engineer or we at least showed it on our journey map and it's not even it's not even 100% out beta so you can see we're kind of prepping for the future here I also want to point out that they have this like certifications path uh thing and I I don't really like it because I don't think it's very accurate so the first thing they show is Solutions architect and they don't even say you need to get the other two associate certifications which you absolutely should do if before you go for your Solutions architect professional the data analytics is no longer a uh certification that adus is producing so this is an out-of-date document so I just want you to understand that these are marketing Pages they're here to maximize the amount of certifications you need to obtain my goal is not to make you take every certification my goal is to make sure that you are prepared uh to do the job and um I just want to you know help you avoid going down the certification route and getting too many certifications that aren't going to benefit you so just take these with a grain of salt when you're reading them okay so anyway what I want to do is drop this down and go to Cloud partitioner um and here on the cloud cloud practitioner page if we scroll on down we got prepare for the exam and here we'll click the exam guide and it'll open up a PDF and it'll give us all the information we need to know this is what AB has been doing for a long time is making these um examp guide PDFs which I really like uh but anyway the first thing we should do is confirm the course code so this one says CF CO2 so we know we are on the right track and then down below here it says this exam validates the candidates ability to complete the following task I want to highlight some key wordss explain understand describe and identify so understand that this certification is not checking whether you know how to do Cloud it's more if you understand Cloud um and the majority of aable certification in fact all of them are multiple choice and multiple answers so they can't really check if you were able to do something in Cloud so just understand the limits of certifications at least eight of the certifications based on their testing mechanisms so when it says Target candidate it's saying uh where you should be in order to pass this exam and so they're suggesting that if you had six months of exposure to adabs uh with Cloud design implementation operate operation then uh you should be able to pass it it's just weird uh worded strangely because it makes it sound like you should have this experience um before you even start studying which is not true they just mean like if you want to pass it you don't need six months to pass this exam that's crazy you just need what we recommended which was um uh the amount of hours we said the average hours is 24 hours so um I'm not sure why they put six months I guess it's just they're for those who are really having a hard time with Cloud they give you a lot of uh um scope or room there but you can see they're pointing out from non-it backgrounds recommended us knowledge Cloud concept security core Services economics that's that's just a repeating of the domains um notice it says job tasks that are out of scope is coding um Cloud architecture design load performance and testing I'm highlighting these three because I just want to point out that in associate level professional and Specialty they actually do ask questions around troubleshooting mation and I suppose they do architectural design but they never ever ever No certification in ads is going to test your coding skills architectural diagram skills and they're not really good about load and performance testing they have like use case scenarios but um just understand again the limits of these certifications coming down below to the response types we got our multiple choice our multiple response um so that's pretty clear there there is uh 50 scored questions there's 15 unscored questions so that is very clear C the uh the the the point system is based out of a th to th000 points the lowest you can get is 100 points I don't know how that works why like why can't you get zero points I don't know the passing score is 700 so that's what we need to score there then down below here it's just talking about the course outline and it actually has a comparison of the old clf co1 so we can take a look there and see what actually has changed so down below here we have our Cloud cont Concepts as security compliance our Cloud technology services our bilding pricing support and then it comes in and starts describing all this stuff now I need to make it very clear how IUS makes their exams they give you a huge list of things you need to learn but if you learn um each one of these things you can end up overstudying or you'll find that the like the exam guide outline is not one to one I'll give you an example we'll look at something else so I'm going to go to Hashi Corp here for a second Hashi Corp terraform certification as a as an example of how different adab certifications are so for hashicorp they will this is their exam guide they'll give you each of these items and you can be 100% sure that every single thing every one one of these things will show up on the exam one to one so it's very easy to know exactly what you need to study for um and uh if you know all these things you'll you will pass in us they list all these things but they won't all show up they they're pulling from a very large pool so to kind of narrow down what you need to study you need to have a good sense of um overall everything and and you're just going to get some things wrong but um anyway coming back here the first Cloud Concepts they're talking about the benefits of cloud so we have a section on benefits of cloud and so they talk about the value proposition so there's like six or nine of them I forget we have a multiple slides on that and so we're talking about economics scale benefits of global infrastructure advantages of high availability elasticity and uh agility I think we call these Cloud architecture terminologies because they're not really benefits I mean they are benefits of cloud but I I like to group them a little bit differently then we have identified design principles for abis Cloud so we have the well architect framework this uh was for the most part never in the clf1 for 90% of its history and then they decided last year or something to add it in um and it and uh before even wasn't even the solution architect associate but now it's even at this level and that's totally fine you only need to know it at a very high level so um it's not too difficult to learn but it it's a white paper it's a PDF that um you know just describes how adus thinks that you should design uh your architecture then we have understand the benefits of strategies and migration to the cloud so we have Cloud adoption strategies uh Cloud adoption framework so um this was this was not in the last exam but uh luckily I included it because I thought it was something that was very important and so I already have it in the certification course even from the last one they actually do ask quite a few questions around the cloud adoption framework but when you look at and again this one's like a white paper just like this one above here and we'll talk about what white white papers are if you if you never heard that term uh it'll make sense in the course but the cloud adoption framework um there's not a lot to it but on the exam they'll ask you a lot of questions around it so you just have to have good common sense um about choosing those answers if that makes sense um identifying appropriate migration strategies sure I guess so I never got any snowball questions um they they say snowball here we go down below here understand concepts of cloud economics so cost Savings of moving to Cloud aspects of cloud economics uh fixed costs compared with VAR able costs they're talking about U Opex Opex and capex understanding the associate of on- premise environments uh understand the difference between licensing strategies and adabs never ever really ever mentioned uh bring your own licenses ever in their certification courses and I never got this on the exam and other people I sat for the new exam never uh encountered this still good to know but I'm just saying that I don't know why it's listed in here because it's definitely not on the exam but it is a good thing to note the basic level understand the concept of right sizing um and maybe I'll go back and make a slide on that cuz I don't think I actually make a deliberate slide on that but I think what they mean there is understanding uh like how horizontal scaling and stuff uh stuff like that works but um again no questions on the exam for right sizing at least not from its technical definition like that identify benefits of automation I think there might have been one question of saying like hey which one lets you automate stuff and you just chose Cloud information but they really don't talk a whole they don't ask a lot of questions on the exam about iic infrastructure as a code identifying uh managed a services this is something they do a lot in exams like describe a service you pick it we have security and compliance so we have the Ed shared responsibility model you absolutely need to know that that for sure always always appears on the exam um customers responsibility they'll do this a lot they'll say like they'll give you a scenario of um of like a typical workload or resource and then you have to uh determine if it's the customers's responsibility or adab Us's responsibility describing responsibility of the customer itus share so again this is just all the share responsibility model still here describing how the itus respons responsibilities and customer responsibilities can shift depending on the the service used so yeah this is basically the sh responsibility model understand the it Cloud security governs compliance so uh compliance governments Concepts benefits of Cloud security they don't really talk about that uh they really directly ask that in the exam but yes we do cover that where to capture and locate logs that are associated with Cloud security they absolutely do not ask that on the exam I'm not sure why that's here um identify where to find A's compliance information that will absolutely be on the exam understanding compliance needs among Geographic locations and industries um sure I mean they're talking about we have a slide in this in the um Global infrastructure but it's um like data sovereignty and like gov cloud and things like that describing how customers secure resources for ads so just generally knowing the security services y that absolutely is on the exam identifying different encryption options I never got this on my exam I never heard of anyone else getting this but um if they are going to talk about this they're probably going to talk about it around S3 recognizing services that Aid in governance and compliance absolutely absolutely for sure that the you will get questions around uh things like fips or Hippa or like common common compliance certifications not specific datab best but just in general um here they're just talking about specific Security Services this is kind of a repeat of what they're talking about up here um but there's the say there's identity service governance service it's all the same thing here recognizing compliance requirements that uh vary among adus Services sure identify adus management capabilities so they're talking about IM am um the adus root account we got a separate slide on that uh principal of leas privilege absolutely absolutely will they will ask that there a single sign on also known as it identity Center I don't know anyone who's gotten this as a question on their exam but uh it's we got a slide for it understanding access Keys yep we cover that PO uh password policies credential storage Secrets manager systems manager um just a bunch of stuff identify components and resources of security describing a security features so ACL a wff security groups they really don't ask these on the exam so I'm just trying to make a point that they're asking for all this stuff and they don't even it doesn't even show up in the exam so um and you know we can just keep going and going through this and I can keep telling you what is and isn't but if you go down below it gets even crazier because they go any of this stuff could show up in the exam it's just like a big list it's crazy so you know I know that seems stressful but you know just follow follow me uh in this course and I you will absolutely pass if you go through my content you'll have no issue there and we'll avoid all the stuff that doesn't show up and don't stress out about this exam guide now let's go take a look here and see where the rebalance has changed so notice here that this went from 26% to 24% they never used to do this so I really appreciate this is now in the exam guide but we got 25 to 30% 33 to 34% 16 to 12% why they would reduce this one I don't know but it is a shuffle whatever um they of course increased uh the technology section more and did some basic rewarding support should have always been in there so it was always under that section but uh it's nice that they labeled it as such um so notice here it says no content was deleted from the exam and um this was the largest struggle for me for the certification because I already made all the content for the last one my old one is not spired and I was struggling because I already had this as well this is the only thing that they added that was new to the certification and then they just rework these numbers here and so um you know I just I added I did add more I add more Labs I added more um other stuff there but I'm just going to say like I don't know why they did an update from co1 to CO2 because barely anything changed now I shouldn't say that the exam questions did change I noticed that the exam questions um the quality of them kind of uh have dropped I'm wondering if they're using generative AI to generate out questions or or something but um there's something the quality of questions are are definitely um different and I would say that they're more uh they're not worded as clearly as they used to be for whatever reason um but anyway you'll still be okay it's totally fine uh recategorization of clf CO2 and so they just did a shuffle of um of these points and I again I really don't think that the the new one is better how useful is this exam guide I should probably give them uh survey feedback but anyway just give you an idea how much stuff there is in here do not stress out just stick with the course you'll absolutely pass uh and uh you know hopefully that gives you uh some better confidence there but we'll see you in the next one uh chiao [Music] chiao hey this is Andrew Brown from exam Pro and what we're looking at here is a free practice exam that I provide with you uh for this course and all you have to do is sign up on exam Pro you don't even need a credit card and you can redeem uh the free available content here and this is really up to date and very well simulates what you will see on the actual exam and it's a full set full 65 questions so you're getting a real simulation here but what I'm going to do is just start it off here we're not going to do the whole thing I'm just going to click through and show you a couple of them so you have an idea um the level of difficulty these questions are so the first question we got presented with here is which a support plans provide access to the seven core trusted advisor checks and so that is a question that you might need to answer I don't want to spoil this for you so I'm not going to tell you the answer we'll go to the next one so a large accounting firm wants to utilize OS to store customer accounting information in archive storage and must store this information for 7 years due to Regulatory Compliance which dat service meets this requirement so the first one you'll notice this one is multiple choice or sorry multiple answers so you have to select multiples before you can submit your answer and the the next one here is just a single choice so those are the two types of questions you will see on the exam they're not going to ask you anything about coding you're not going to see any kind of code um in terms of length that's pretty much what we'll see in terms of the uh questions I think in many cases I wrote a little bit more more like um in the style the solutions architect associate to make it slightly more difficult just so that you're a little bit overprepared so if you do well on these practice exams you're going to do uh well on the exam okay so I just wanted to kind of get you that exposure there [Music] okay hey everyone it's angrew brown and I have opened our exam simulator this is on the exam Pro platform and this is the free Set uh that I promised uh folks in the course so no cost to go get this one you just have to sign up and and access it but the reason I have it open is because I really want to talk about a very specific type of question that we've included in here that will not appear on your exam so uh for those who are familiar with Azure certifications um at the associate level or higher there's this question type called a case study and what a case study is I'll I'll just pull it up here but I believe uh in this randomization of this practice exam set I think it's this one here but what a case study is it gives you a scenario that you have to read through or a a case study about a company so you read about the company you look at the objective its requirements constraints this St can all be different there could be diagrams all sorts of stuff in here but the idea is that you are contextualizing a business use case and they're going to be asked a series of questions uh multiple choice multiple select and it all ties back to that case study so the reason we included this is that um we believe that this is going to give you better comprehension and a higher chance of passing so it's not going to appear in your exam but we include it as an extra challenge to you so that you have um a higher chance of passing now if you don't like this we do have other practice exams they of course are paid that uh that are just the normal style which is all multiple choice multiple select for um this this course the cloud partitioner um but you know we do have them in half of the practice exam sets because uh again I think that it's going to be good for you so hopefully you see that as a bonus but I just wanted to give you a heads up um about this uh because you'll counter me like what the heck is this um the other thing I want to point out is that when you enter a case study it's like having a mini exam within your exam so once you've answered all these questions uh you can't go back and and um you can while you're within the case study but if you get to the end of this and submit the case study you can't go back and update it so just be aware of that um and you know again hopefully you like this we love feedback to hear what people like but it's just they always appeared in Azure exams and uh we want to see them in 8 us ones as well because I think they're just really good for uh testing your knowledge but anyway we'll see you in the next one okay ciao [Music] hey everyone it's Andrew Brown your favorite Cloud instructor and what I want to do in this video is to show you um a unique feature that is in our platform um just in case you come across it while you're while you're uh doing the materials I can't remember if it's in the free or paid tier I believe it's in the paid tier so I'm not trying to upsell anyone but I just want to make sure people are aware of that while they are um taking this course but sometimes what you'll see in the follow along so like for example we have S3 down here which is for uh Cloud simple storage uh and I don't have them always included in the videos but um at some point I might do that but the idea is that um we have these validators and validators what they can do is they can verify uh whether you actually have uh the resources uh deployed in your cloud account um so it's like an additional check to make sure that you did it right so for example we have this one for S3 so it says setup an S3 bucket it is account validation so so this tool performs an automated check on your personal cloud infrastructure to confirm its alignment with the build project requirements make sure you input precise values for your infrastructure components so let's go through that and show you this I'm showing this as an example but you know you'll see them in other in other fongs and lookout for for that stuff I believe in the to-do it'll even show it uh here so if you watch the video and you watched it to the end or you press that button there but you'll get your your uh your star uh for that but the way it works let's go through it so the first thing is I want to uh click on this new run button and then what we'll do is we'll have an agreement so this agreement is confirming that you understand that you are using your own cloud account uh and we are going to uh need to get readon access to it and just understand that you are using uh you're providing us access to account that is your own account and it's not your company's account because obviously we don't want to get in trouble for accessing data that we're not supposed to have and you don't want to get in trouble for that so that's just a a friendly reminder so I'm going to click the I agree and the accept the next thing it's going to ask for is your itus account ID the region that you're deploying in and then it there might be additional uh parameters that it wants to know so that we can test against it so what I'm going to do is just log into my adus account it'll just take me a moment and we'll fill this out for real okay now of course I'm filling out this example here but I just want to point out that um uh you know you're just going to have to follow this procedure and it'll be slightly different for each one uh for that okay be back in just a second all right so I'm logged into and uh one of my ad's accounts I have a lot of them uh I think this one is my developers one so uh for this particular follow along you would have created an S3 bucket right and so um what I'm going to do here is go to S3 and I already know what to do so it's not too hard for me but I'm going to go ahead and create myself a new bucket I'm going to make note of the region that I'm deploying in so S3 is a bit unique because it shows Global but you are still deploying to a specific region so we'll go ahead and create that bucket I'm just going to say my validator bucket as a test notice where it's deploying Us East one I could change that to anything else like ca Central um I am in Canada so doesn't hurt to deploy where I am and we'll go here and go all the way down and I'm going to go and create this bucket okay so um that bucket name was I forget it was like something like validator and so what I need to do is copy that name we'll go back over here and so it's asking for the bucket name so there's the bucket name we need to it account ID that always appears in the top right corner and they have a nice um clipboard button there to get that in there and the region so we deploy that in CA Central 1 so it says there CA Central one you're always using this uh programmer's name not the full name but this this fun handle you can see them all here on the right hand side if you're not sure about that but what we'll do is go back over here we'll paste in that user region and so what this is going to do is create a um a cloud formation template that's going to give access to us to uh your account so we'll go ahead and hit save and continue and so now we uh We've inputed our parameters those have been saved and now it's saying we need to access your Cloud resources so we want you to generate this cloud formation template we're going to press the button we'll wait a moment and we can either download this template or use the adab CLI to run it um the CLI command is a lot easier to use and I'm going to recommend that you always do that and uh so what we're going to do is generate out this CLI command and we're going to get this oneline command and I'm going to go back over to AWS sorry I know I'm going really fast but it's just how it is and at the top left corner we have this little button here that's for cloud shell we're going to open it up I know coding scary but it's really important to get as much coding experience or scripting as you can so strongly recommend you follow along here but uh it's going to open up and once it's it's open we can paste that in now sometimes this wants to have some kind of EBS storage so you might have to say yes and wait a little bit um that's just the norm for cloud storage but I'm going to go back here I'm going to copy this command okay and we're going go back over here I'm going to right click and paste and this always happens when there's a multitext line we got a pop up here and we're just going to review it looks good so notice it has a template URL so that's the template it's pulling in um there's temporary credentials to uh to allow that uh it's going to create a stack name called exam Pro validation and it's going to say capability named I am now this might fail because I've done it before but we'll go ahead and paste it in I'm going to hit enter and it looks like it's creating the stack so we'll go over to cloud formation and uh we'll go here and I'll just get this out of the way I don't want that open right now and so I'm just going to give this a refresh and did that create that right now that was the name of the stack right exam Pro validation that is correct and if I go over here uh what's the date today I don't even know because that might be an older date I mean it's November so I I don't think that one worked because I already had it uh working there before um so what I'm going to do here I'm going to go ahead and delete this one okay so I just want to point out like if you're doing multiple validators in the system you always have to roll it back tear it down okay like the old one so I'll delete that one again cuz I just don't have a strong confidence that it was actually deployed so I'll be back here in just a moment it tears down all right it actually did uh finish tearing down so that is um there but I'm going to go back here I'm going to attempt to run this command again so go ahead and copy this and I will paste it in again we'll say paste and I'll hit enter and uh it says already existed in the sack well what are you talking about it's definitely uh definitely not there that's what I thought I would get as an error the first time around so this is CA Central 1 oh oh you know what it is I'm in North Virginia so you got to be very careful with your um your regions so I go over here so I I I did delete one that was from another one that's why I was confused because I thought it already existed I have to delete it out th this is normal in Cloud right so just understand that when I do follow alongs I don't edit out the tricky Parts because I know it makes it a little bit confusing but it really does help to demonstrate uh how confusing Cloud can be and how to work through those proc but over here CA Central so this is deployed 11:15 that's the date that I've deployed this on so that makes sense uh here so we just got to be very uh aware of that so this is in C Central one uh but we'll go back over here and so this is done so we know that it's done because it's here it's in the region that we expect it to be in so now the uh the permissions are done we can run the polar so what the polar is going to do is it's now going to pull data from your account uh uh and that way we're going to to uh be able to then validate whether things are correct so we'll go ahead and run the pull and notice it says S3 API list buckets it flashed it really quickly but the way this tool works is it's actually using the adab CLI underneath so I'm just going to go ahead and just show you what this is uh and just show you a quick reference here so the ad C is a pragmatic way to um uh access uh information uh for eight of us we probably show that somewhere in this course and so the command it was running I believe was I should know I coded this was S3 API and then it was like list buckets uh list buckets so that's the command it ran so really what the validator did it it did ads S3 API list buckets okay and if you notice this it returns back Json so we get back the payload that's what we are story in our own adus account which by the way we delete after a period of time I don't remember how much time but we we don't hold on to your data for long cuz we don't really want it um but yeah so here it's returning back that data and so somewhere in here that there the the buckets in here right so we've pulled that data and it's there and so now we can run the validator we'll click run validator and it's super fast because we already have the data downloaded and it's doing one check here so it says should have bucket matching name so you can see it's it's doing it's loading from a Json file that's called S3 API list buckets we always name our the Json files app after the commands and it's looking through buckets so if we go over here all the top here for a moment you can see buckets so it's looking within this array and it's trying to match a name called my validator bucket which which which you provided to us so somewhere in here I have a lot of buckets in this account somewhere in here uh there it is it's there and so that's how that works um but yeah just look out for those validators um and uh try to run them and and validate that uh you are able to uh do this stuff okay but we'll see you in the next one okay ciao oh wait wait wait wait wait wait wait I didn't show you how to clean up I'm just running off screen here so once you're done uh what you can do is you can go over to Cloud information here and you should do this is go ahead and delete the stack okay um because that's going to tear down the permissions so that we no longer have access to your account um so that's kind of an important thing to do um but uh we'll go ahead and the other thing about these permissions is that we're only asking for exactly what we need access to so in this in this uh permissions it only generate out to get access to uh the S3 bucket specifically what we're accessing for so even if you left it up it's usually okay it's safe but um you know if there's no reason for us to have access anymore you should all obviously delete it um but yeah that one is now gone and so now we are absolutely done I'm going to go ahead and just close this out here but yeah hopefully uh that makes it pretty clear how validators working in our system and you see the benefit to getting that uh check in your real account [Music] ciao hey this is Andrew Brown from exam Pro and we are at the start of our journey asking the most important question first which is what is cloud computing so cloud computing is the practice of using a network of remote servers hosted on the internet to store manage and process data rather than a local server or personal computer and so when we're talking about on premise you own the servers you hire the IT people you pay or rent the real estate you take all the risks but with a cloud provider uh someone else owns the servers someone else hires the IT people someone else pays or rents the real estate and you are responsible for configuring cloud services and code and someone takes care of the rest of it for you [Music] okay so to understand cloud computing we need to look at the evolution of cloud hosting going all the way back to 19 1995 where if you wanted to host your website or web app you'd have to get a dedicated server so that would be one physical machine dedicated to a single business running a single project a site or an app and as you can imagine these are expensive because you have to uh buy out write the hardware have a place to store it the network connection having a person to maintain it um but it did give you a guarantee of high security um and they still do as of today so this model hasn't gone away but it's been specialized for a particular use case then came along the virtual private server so the idea is we still had one physical machine but now we were able to subdivide um our machine into submachines via virtualization and so essentially you're running a machine within a machine and so you had better utilization of that machine um running multiple web apps as opposed to having a physical machine per project so you got better utilization and isolation of resources and so uh these two options still requireed you to purchase a machine a dedicated machine and so that was still kind of expensive but then came along shared hosting and so if you remember uh the mid 2000s like with GoDaddy or HostGator or any of those sites where you had really cheap hosting the idea is that you had this one physical machine shared by hundreds of businesses and the way this worked it relied on uh tenants underutilizing their resources so you know you wouldn't have a submachine in there but you'd have a folder with permissions that you could use um and so you would really share the cost and this was very very cheap um but you were limited to whatever that machine could do and you were very restricted in terms of the functionality you had and there was just poor isolation meaning that you know if one person decided to utilize the server more they could hang up all the all the websites on that single server then came along Cloud hosting and the idea is that you have um multiple physical machines that act as one system so this is distributed computing and so the system is abstracted into mult multiple cloud services and the idea is that you basically get the advantages of a lot of the things above so it's flexible you can just add more servers um it's scalable it's very secure because you get that uh virtual isolation you get it extremely at a low cost because you're sharing that cost with the users where in the shared hosting it might be hundreds of businesses we're looking at thousands of businesses and it was also highly configurable because it was a full virtual machine now uh Cloud actually uh still includes all of these types of Hosting they haven't gone away uh but it's just the idea that you now have more of a selection for your use case uh but hopefully that gives you an idea what cloud hosting looks like and it really has to come down to distributed computing [Music] okay hey this is Andrew Brown from exam Pro and before we talk about ads we need to know what is Amazon so Amazon is an American multinational computer technology corporation headquarted in Seattle Washington and so this is the Seattle skyline with the Space Needle and Amazon was founded in 1994 by Jeff Bezos and the company started as an online store for books and expanded to other products so as you can see this is Jeff Bezos a long time ago and he has this interesting spray painted sign and his desk is held up by cinder blocks and it looks like his uh desk is like an old uh table or something and he's working really late and he used to be a millionaire at this time and he would be driving into work his Honda Accord because you know he just his motivation was always to put all the money back into the company so he really shows that he worked really hard and it did pay off because Amazon has expanded uh Beyond just an online Ecommerce store into a lot of different things such as cloud computing which is Amazon web services Digital streaming such as Amazon Prime video Prime music they bought twitch.tv they owned the Whole Foods Market grocery store they have all this artificials intelligence they own low orbit satellites and a lot more stuff it's hard to list at all and so Jeff Bezos today is not the um the CEO it's actually Andy jasse is the current CEO of Amazon he was previously the CEO of AWS so Jeff Bezos can focus on space travel so there you [Music] go hey this is Andrew Brown from xampro and we are taking a look at Amazon web services and this is the name that Amazon calls their provider service and it's commonly referred to just as AWS so here is the old logo where we see the full name and here is the new logo but I like showing the old logo because it has these cubes which best represent what AWS is and it is a collection of cloud services that can be used together under a single unified API uh to build uh a lot of different kinds of workloads so adus was launched in 2006 and is the leading cloud service provider in the world I put an aster there because technically adus existed before 2006 and a cloud service provider uh which is what adus is is often initialized as CSP so if you hear me saying CSP I'm just saying cloud service provider okay so just time to look at the timeline of when Services rolled out the first one came out in uh 2004 it was simple Q service sqs and this service still exists as of today but at the time it was the only service that was publicly available so it wasn't exactly a cloud service provider at this time and it was neither ads it was just sqs but then a couple years later we had simple storage service also known as S3 which was launched uh in March of 2006 and then a couple months later we had elastic compute Cloud also known as ec2 um and ec2 is still uh like the most used service within AWS and is like the backbone for pretty much everything there then in 2010 it was reported that all of amazon.com's retail sites had migrated to to AWS so even Amazon was using AWS uh Full Steam and to support industrywide training and and skill standardization itus began offering a certification program for computer Engineers on April 2013 uh and this is the type of certifications that we are doing as we speak um so I just want you to know that ad us was the one leading uh Cloud certifications if we just want to take a look here at the executive level as of today the CEO is Adam he's the former CTO of tableau and he spent a decade with adus as a VP of Marketing sales and support so he was there he had left for a bit and now he is back then we have uh wner and he's the CTO of AWS he's been uh the CTO for pretty much the entire time ad was existed with the exception of sometime of the first year he's famous for uh quoting everything fails all the time and then there's Jeff bar who's the chief evangelist so um if you're ever wondering who is writing all the blog posts and talking about ad bus it's it's always Jeff bar [Music] okay all right so what I want to do here is expand on what is a cloud service provider also known as a CSP just because there's a lot of things out in the market there that might look like a CSP uh but they actually are not so let's go through this list and see what makes a CSP so this is a company which provides multiple cloud services ranging from tens to hundreds of services those cloud services can be chained together to create CL architectures those cloud services are accessible via a single unified API so in ad's cases that is the adus API um and from that you can access the CLI the SDK the Management console those cloud services utilize metered building based on usage so this could be per second per hour uh vpcu memory storage things like that those cloud services have Rich monitoring built in so you know every API action is tracked and you have access to that so in A's case it's Aus cloud trail and the idea here is those cloud services have infrastructure as a service offering so IAS that means they have networking compute uh storage databases things like that those cloud services offers automation via infrastructure as code so you can write code to set everything up and so here's just kind of a example of an architecture where we have a very simple uh web application running on ec2 behind a load bouncer with the domain with r 53 but the idea is just to show you that you know you're changing these things together if a company offers multiple cloud services under a single UI but do not meet most of or all of these requirements it would just be referred to as a cloud platform so when you hear about twio or hashy Corp or data bricks those are Cloud platforms and adabs Azure gcp are cloud service providers [Music] okay all right let's take a look here at the landscape of cloud service providers this is generally broken down into tier one tier 2 tier three but I've modified it to give each tier its own name as I don't like to think of them as rankings and more so that uh these cloud service providers are specialized for a particular thing um and I've also added a fourth tier because you know the internet has always talked about three tiers but there really is a fourth tier and I wanted to make sure we had uh the full scope here included so in the top tier you're going to recognize uh some common names there Amazon web service Microsoft Azure Google Cloud platform and Alibaba cloud in North America and Europe uh adab us Azure and gcp are known as The Big Three um but Alibaba cloud is huge as well if you're in the Asia region specifically China so it's really just going to be dependent on where you live where uh which are considered the most um commonly known or popular uh but we'll talk about that here in a moment but the reason um I call tier one top tier is that these are you know very well-known providers they're ear early to Market they have strong synergies between their services um they're just really good cloud service providers you cannot go wrong with uh these providers then we have our tier two or I would call our mid-tier uh these are backed by really well-known tech companies but I would just say that um their ability to become top tier uh did not work out the way they planned so IBM at one point was looking to be a top tier provider um but they just did not keep up with um AWS and they just slipped into this mid- tier and kind of specialized at least for a while into ml AI services and now they're just more like very expensive um Enterprise U managed infrastructure for their existing clientele Oracle um very very inexpensive that's their play they try to uh be the cheapest but their uh service um overall is not uh fun to use interestingly enough I believe Microsoft Azure was just signing a contract to use Oracle Cloud so it's not unusual for some of these cloud service providers or these organizations to use other providers because they want to use their Global infrastructure but uh yeah Oracle cloud is uh not doing that great there are other ones in the Asia region like uh Hawaii cloud and tensent Cloud I honestly don't know a whole lot about them but they do show up on the magic quadrant so it's possible the Asia region that these are the big three and uh AWS Azure and gcp do not play a larger role but from our perspective I put them into that mid tier because they just don't have Global uh awareness or Global um market dominance like the other three uh up there looking at the light tier uh these were traditionally virtual private servers so they just specialized in that and they turn to offer more core infrastructure service offerings so we we have a vulture I always thought it was pronounced Vol but it's actually vulture digital ocean and aimi connected Cloud which was formerly known as Leno or Leno um so they merg their companies together and I mean they want to be like a cloud service providers but they're very very light in terms of their offering so um you know they'll have things like serverless and being able to run a kubernetes cluster and some cloud storage and stuff but they won't have things like uh the the same level of event driven metered billing or or other kinds of functional that you you come to expect in the top tiers but you know if you're working with a smaller organization they are a lot simpler to uh to utilize so they are a great introduction to Cloud for companies that find the top tier uh too complex and then looking at the fourth tier I call this the private tier this is uh basically software that you can deploy onto your own uh machines in your data centers to get the same kind of um functionality that you would if you were using let's say adabs or any of these other providers and um you know previously I would put open stack into the mid tier because in a sense that it was kind of like a cloud service provider that was using uh quite a bit but I didn't feel like it had had good fit there so that's why we made this a fourth tier and we have a few different softwares we have open stack Apache Cloud stack those are both open source and there's VMware vpar I have an aster there because it's not really the same thing but it is used a lot everywhere to manage a lot of virtual machines and so I I kind of feel like it should fit in there but that gives you kind of an idea of the landscape of cloud and we'll see you in the next [Music] one so how do we determine who is the leader in Cloud well one way of indicating that is the gardener magic quadrant for cloud so the magic quadrant is a series of market research reports published by the IT consulting firm Garder that rely on proprietary qualitative qualitative data analysis methods to demonstrate market trends such as Direction maturity and participants so it says a series of reports uh but the only thing I've ever seen are these Graphics where they show um a uh the quadrant it's a it's a diagram that summarizes all the information so I think you have to you might have to pay to access uh the reports um because it's definitely not just uh publicly accessible knowledge and I don't think they would show all of uh how this stuff is calculated but uh let's just take a look at this graphic here so notice we have challengers in the top left corner leaders in the top right corner in the bottom left corner we have Niche players and then in the bottom right corner we have Visionaries so the idea here is that The Closer you are to this top Corner uh the better you are doing and the one that is closest to it is Amazon web services followed with Microsoft pretty close uh in second Google to the left Alibaba cloud X Oracle and then we have IBM 10cent and Hawaii and there are other players but they are so small that they are not showing up there and we showed that in the landscape of csps or um maybe this is only for first they consider what uh we call First tier or top tier cloud service providers it's really useful to look at last year's uh mq and to see how things have moved so it looks like uh it uh Microsoft has shifted a little bit forward here and gone a little bit closer to AWS Google has significally moved up and um Alibaba Cloud it seems to be moving more uh to the right um and again I'm just showing what their movements were from this year to that year so they are over here now Oracle is way over here now and for whatever reason Huawei cloud is on the board so it's interesting to see how they move another thing that's um interesting here is that this one is 2022 of June and this one is July of 2021 and right now as the time I'm recording this video it's 2023 near the end of the year um and I could not find a 2023 one so even if it says June or July they will release these out in October November Etc way later in the year and so for whatever reason they have yet to make um the latest one available so I'm still curious to see what that is here so I'm just giving you the information that we have but you can look at this stuff um basically on the The Gardener website if you want to see um any of these magic quadrants for any of the industries there and what I find is is that if uh companies doing really well they'll always post it on their website so it's very easy to find the uh Magic quadrant for cloud on the ads website because they're the leader so they definitely want to show that there U but yeah there you [Music] go so a cloud service provider can have hundreds of cloud services that are grouped into various types of services but the four most common types of cloud services for infrastructures of service uh and I call these the four core would be compute so imagine having a virtual computer that can run applications programs and code networking so imagine having virtual Network defining internet connections or network isolation between services or outbound to the internet storage so imagine having a virtual hard drive that can store files databases so imagine a virtual database for storing reporting data or a database for general purpose web applications and uh AWS in particular has 200 plus cloud services and I want to clarify what cloud computing means because notice that we have cloud computing Cloud networking cloud storage Cloud databases but the industry often just says cloud computing to refer to all categories even though uh it has computer in the name so just understand when someone says cloud computing uh they don't just generally mean the subcategory they're talking about all of cloud [Music] okay so adus has a lot of different cloud services and I just want to kind of go quickly over the types of categories that we can encounter here and just mention the four core so any CSP that has IAS will always have these four core service offerings we have computes so Nat this would be ec2 VMS storage this could be something like EBS virtual hard drives database so that could be RDS SQL databases networking and content delivery but really it's networking uh and this would be VPC so private Cloud Network okay so uh let's just look at all the categories that are outside the four core so there could be analytics application integration arvr a cost management blockchain business application containers customer engagement developer tools and user Computing game Tech iot Machine learning management and governance Media Services migration uh and transfer most mobile Quantum Technologies robotics satellites security identity and compliance if there was more I would not be surprised but you can see there's a lot of stuff that's going on here so let's take a look at all the itaba services that are available to us so if you're on the marketing website which is adab. amazon.com what you'll see in the top left corner is products and so these are all the categories and for whatever we want if it's like ec2 we can go into here and we can read all about it so usually we'll have our overview all right and that's not very useful and then we'll go over to features and so this is can be kind of useful to get some basic information and pricing which is something you'll do a lot in adabs is you're always going to be going to a service looking up its price and so you'll make your way over uh here every single one is different a very important page would be like getting started so this will give you basic information but what I do is I like to go all the way down to the bottom here and find my way over to the documentation so I'll go here to documentation to get that deeper knowledge about that service and as you can see things get pretty deep with AWS in terms of the information they have so hopefully that gives you an idea of the scope also when you're logged into databus and this will be when we create our account uh you can explore all the services this way as well so these are all the adus services uh but you just notice that there's two ways to uh explore them where this is actually you just actually utilizing the services is and then the marketing website is you reading about them and learning all about them [Music] okay hey this is Andrew Brown from exam Pro and we are looking at the evolution of computing your cloud service provider has all of these offerings and the idea is that you need to choose the one that meets your use case a lot of times this all has to come around the utilization of space that's what we're trying to illustrate here in this section here and the trade-offs of why you might want to use some of these offerings okay for dedicated we're talking about a uh a physically uh a physical server wholly utilized by single customer that's considered single tenant and uh for Google Cloud we're talking about um single node clusters and bare metal machines where you have control of the virtualization so you can install any kind of hypervisor or virtualization you want in the system the trade-off here though is that you have to guess upfront what your capacity is going to be and you're never going to 100% utilize that machine cuz it's going to have to be a bit under in case the utilization goes up that's you're choosing the CPUs and the memories you're going to end up overpaying because you're uh you'll have under underutilized server uh it's not going to be easy to vertically scale it's not like you can just say resize it because the machine you have is what you have right you can't add more I mean I suppose they can insert more memory for you but that's a manual migration uh so it's very difficult um and replacing the server is also very difficult okay so you're limited by the host operating system it's not virtualized so whatever is on there is is on there um and that's what your apps are going to have access to uh if you decide to run more than one app which is not a good practice for these kind of machines uh you're going to end up with a resource sharing where one machine might utilize more than the others technically with a dedicated machine you have a guarantee of security privacy and full utility of the underlying resources I put an aster there because yes it's more secure but uh but it's up to you to make sure that it's more secure so you have that's up to your skills of security right whereas if you had a virtual machine or anything above that there's more responsibility on the cloud service provider to just provide a secure machine and they can do a better job than you so why would you use a dedicated machine well maybe you're doing high performance Computing where you need these machines like very close together and you have to choose what kind of virtualization you need to have okay so then we're looking at virtual machines the idea here is you can run a machine within a machine the way that works is we have a hypervisor this is a software layer that lets you run the virtual machine uh the idea here is now it's multi-tenant you can share the cost with multiple customers you're paying for a fraction of the server uh you'll still end up overpaying for the underutilized virtual machine because a virtual machine is just like you have to still say how many V vcpus how much memory and your app is you know you don't want an app that uses 100% right you want to use exactly the amount you need but you can see here you know there's still going to be some underutilization uh you limited by the guest operating system now but now it's virtualized so at least it's very easy to uh possibly migrate away if you choose to run uh more than one app on a virtual machine it it can still run into resource sharing conflicts uh it's easier to export or import images for migration it's easier to vertically or horizontally scale okay and virtual machines are the most common and popular offering for compute because people are just very comfortable with those then you have containers and the idea is you have a virtual machine running these things called containers the way they do that is similar to a hypervisor but in instead you have um like here is a Docker demon so it's just a um a container software layer okay to run those containers there's different kinds Docker is the most popular uh and the great thing is you can maximize the uh the the capacity because you can easily add new containers resize those containers use up the rest of the space it's a lot more flexible okay uh your containers will share the same underlying OS but they are more efficient than multiple VMS uh multiple apps can run Side by without being limited uh by the same OS requirements and not cause conflicts during resource sharing so containers are really good but you know the tradeoff is there a lot more work to maintain then you have functions functions go even step further and the idea is that you uh the the containers where we where we talked about that's a lot of work to maintain now the cloud service provider is taking care of those containers generally sometimes not it depends if it's servers or not but the idea is that you don't even think about and this is called servess compute but you don't even think about uh the OS or anything you just know that what your runtime is you run Ruby or python or node and you just upload your code and you just say uh I want this to be able to run uh uh for this long uh and use this amount of memory okay you're only responsible for your code and data nothing else it's very cost effective you only pay for the time the code is running uh and VMS only run when there is code to be executed but because of that there is this concept of cold starts and this is uh where the virtual machine has to spin up and so sometimes requests can be a bit slow so there's a bit of trade-off there but functions or serverless compute is generally one of the best offerings as of today but most people are still getting kind of comfortable with that Paradigm [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the types of cloud computing and the best way to represent this is a stacked pyramid and we'll start our way at the top with SAS also known as software as a service so this is a product that is run and managed by the cloud service provider you don't have to worry about how the service is maintained it just works and remains available so examples of this and actually uh the first uh company to coin this was actually Salesforce um then there's things like Gmail Office 365 so think Microsoft Word Excel things like that and they run the cloud okay and SAS is generally designed for customers in mind then came along platforms of service um also known as and these focus on the development or sorry the deployment and management of your apps so you don't worry about provisioning configuring or understanding the hardware or operating system and so here we' have things like elastic beant stock Heroku which is very popular among developers that just want to launch their code or Google app engine and that is the old logo but that's the logo I like to use because I think it looks cool and so these are intended for developers the idea is that you just deploy your code um and the platform does the rest then there is infrastructure as a service um there's no way to say that like it's easy to say SAS or pass but there's no easy way to say IAS so this is the basic building blocks for cloud it it provides access to networking features computers and data storage space and the idea here is you don't worry about the IT staff data centers and hardware and so that would be like Microsoft Azure AWS Oracle Cloud things like that and these are for admin Traders okay so there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at cloud computing deployment models starting with public cloud and the idea here is that everything when I say everything I'm talking about the workloads the projects the code is built on the cloud service provider so here is a diagram where we have a ec2 instance a virtual machine running her application and then we have our database in RDS and we have the internet coming into our adus account and so everything is contained all of our infrastructure is within AWS all right uh and so this is known as being Cloud native or Cloud first and I put an aster beside Cloud native because that was a term uh that was uh used prior to Cloud Serv providers to refer to Containers or open- Source um uh models being deployed and being mobile other places so just understand that it has two meanings but uh in the context of this cloud of just being like native to the cloud like using Cloud to begin with okay then we have private Cloud so everything built on a company's data center uh and being built on a data center is known as being on premise because that is where the data center resides near where you work and so here you could be using Cloud but you'd be using openstack which would be a private Cloud so here we have our on premise Data Center and uh the internet's coming into our data center and we're running on open stack where we can launch virtual machines and a database okay then there's the concept of a hybrid Cloud so using both on premise and a cloud service provider together and so the idea here is we have our on premise Data Center and then we have an established connection maybe it's a VPN connection maybe it is a direct connection um but the idea is that we're bridging that connection and uh utilizing both our private and our public uh stuff to uh create a cloud workload then there is a fourth one called cross Cloud um sometimes it's known as multicloud and sometimes it's erroneously referred to as hybrid Cloud but it generally is not uh hybrid Cloud okay the idea here is when you're using multiple Cloud providers and so one example here could be using services like Azure Arc so Azure Arc allows you to extend your um control plane uh so that you can deploy containers for kubernetes in um Azure within Amazon eks Within gcp n's engine but you know being cross Cloud doesn't necessarily mean that you're running a using a service that use Works across the cloud and manages it it could just mean using multiple providers at the same time another service that is similar to Azure Arch but is for Google Cloud uh platform is also known as anthos um adab us has traditionally not been um cross Cloud uh friendly and so we haven't seen any kind of developments there where we see these other services that are or CL Prov behind AWS trying to promote it to uh grab more of the market share [Music] okay so let's talk about the different deployment models and what kind of companies or organizations are still utilizing uh for these particular categories so for cloud again this is where we're Fally utilizing cloud computing hybrid is a combination of public cloud and on Prem or private cloud and then on Prem is deploying resources on premise using virtualization resource management tools sometimes called private cloud or could be utilizing something like open stack so for companies that are starting out today or are small enough to make the leap from virtual private server to a cloud service provider this is where we're looking at Cloud so we're looking at startups SAS offerings new projects and companies um so maybe this would be like base camp Dropbox Squarespace then for hybrid these are organizations that started with their own data center but can't fully move to Cloud due to the effort or migration or security compliance so we're talking about Banks fintech investment management large professional service providers Legacy on Prem so maybe CIBC which is a bank deoe uh the CCP or CPP investment board and then for on premise these are organizations that cannot run on cloud due to strict Regulatory Compliance or the sheer size of the organization or they just have like an outdated uh idea of what cloud is so they just have a lot of uh difficulties in terms of politics adopting Cloud um so this would be public sector like government super sens of data like hospitals large Enterprise with heavy regulation insurance companies um so again hospitals maybe AIG the government of Canada and so I shouldn't say that they aren't using Cloud but um you know because uh adabs and all the cloud service providers have um uh public sector offering so um you know I'm just trying to Stage as an example of things that could be still using on premise so you know I know the government of Canada definitely uses uh cloud in a lot of ways same with AIG and hospitals but you know generally these are the the last holdouts of on Prem because there really isn't a a good reason to be fully on premise anymore uh but again there are some things that are still doing that [Music] okay hey this is Andrew Brown from exam Pro and we are at the start of our journey creating ourselves an adus account so what you need to do is go to ads. amazon.com if you don't have a lot of confidence how to get there just type in adabs into Google and then click here on the L link where it says adus amazon.com it'll take you to the same place now notice we have a big orange button in the top right corner so this says sign into the adus console um it's the if it's the first time you've ever been to this website so if I go to adab. amazon.com Incognito it will have the create an Abus Account button um I don't know why they don't keep this consistent across the board but I wish they did but if you are on the screen you can click here or there um but if you do see something that doesn't say uh you know create an account account or or Etc you can just sign in okay and then down below you can hit create a new a account so that's the way you're going to get in there and so you're going to put an email a password and create an adist account name um I've created this so many times and it's so hard to set up new emails I'm not going to do this again it's not complicated but one thing I need to tell you is that you do need to have a credit card you cannot create an account without a credit card um and for those who are in places where maybe you don't have a traditional credit card card maybe you can get a prepaid one so up here in Canada we have a company called coo and so coo is um a Visa debit card and so it's basically a virtual prepaid credit card and so these do work on the platform as well so if you have a traditional credit card or possibly could find one of these uh you still have to load up with money but it does give you a bit more flexibility to create that account so what I want you to do is go through that process yourself it's not complicated and I'll see you on the other end okay so once you finished creating your account you should be within the adus Management console and this is the page you're always going to see when you log in it's always going to show the most recent Services here um and you'll notice in the top right corner that I have my account called exam Pro if you're wondering how do you change that name what you do is to go to my accounts here and once there you'll have your account settings up here if you go to edit uh you can change that name here okay so you know sometimes when you create your account you don't like the account name that you gave it and so that's your opportunity to fix it um but once we're in our account what I want you to do is immediately log out because I want you to get familiar with the way you log into AWS because it is a bit um different than other providers and so I don't want you to uh get hung up later on with your account so I've logged out I'm going to go ahead and log back in so you can click the orange button or what I like to do is drop down my account and go to itus Management console it's a lot more clear and you notice we're going to have two options root user and I am user so this is what I'm talking about for the confusion so when you log into your root user account you all are always using an email and when you're logging as an IM user you're actually going to be entering the account ID or account Alias but what we'll do is go to the root user and this is the email you use to sign up with the account so for me uh I called this one Andrew plus sandbox exampro . Co I'm going to go to next sometimes you get this character box it's very annoying but it happens time to time and so what I'm going to do is just go ahead and type that in okay and hopefully it likes it and then I'm just going to enter in my password all right and I'll be back into my account and so notice it takes me back to ABS Management console so the root account is not something we want to be generally using uh except for um very particular use cases and we do cover that in the course uh but what I want you to do is go set yourself up with a proper account and so what we'll do is go to the top here and type in am and this stands for identity and access management and we'll click on am here and on the left hand side we're going to see a bunch of options here um and so notice right away we get to the I IM dashboard where it's going to start to make some recommendations for us the first one is always to add MFA multiactor authentication another thing you can do is set an account account Alias so you can see that I've set one here prior so if I just go ahead and remove it the way we'd have to log in is via the account Alias uh which is the same as the account ID and so I don't really like that so I'm going to just rename it to Deep Space 9 and uh these are unique so you have to pick something that is unique to you so it could be your company name or things like that it's going to make it a lot easier to log in uh when we create our additional user here so we'll come back to MFA at some point here what I want you to do is go over to users and go ahead and make yourself a new user and so I'm going to call this one Andrew Brown and I'm going to enable programmatic access I'm going to enable ads Management console so this one's going to allow me to use the apis to programmatically work with ads and this one here is going to allow me to just log into the console which is uh pretty fair here so now that I have this we can autogenerate or give it a custom password I'm just going to autogenerate for the time being and here it says You must create a new password at the next sign in which sounds fair to me and we go ahead and create ourselves a new group so it's pretty common to create a group called admin and notice here this is where we're going to have a bunch of different policies so the first one here which is admin and access provides full access to a services and resources and this pretty much gives you almost nearly almost the same capabilities as the um AWS root user account uh and so that's going to be okay because we are an admin in our account so I'll checkbox that on but I just want to show you here if you drop down filter policies and you went to adus manage job functions these are a bunch of uh pre-made uh adus uh policies that you could apply uh to different users so what's really popular after the administrator access is to usually give the power user access and so this one allows um a user to do basically anything they want with the exception of management of users and groups so you know it could be that that's something that you'd want to do for some of your users I just don't want to have any trouble so I'm going to give us um admin access here and we're going to go ahead and create this group and so here is the group that we are creating we're going to go next we can apply our tags if we want I'm not going to bother we're going hit next review and then hit create user all right and so now what it's doing is it's showing us the access ID and the access uh key secret that we can use to programmatically access AWS and then there's a password here so I'm going to go ahead and show it and what I'm going to do is just copy this into a clipboard anywhere and so I'm just copying that off screen here because I'm going to need it to log in and I'm just going to remember my username as well all right and so what we'll do is go ahead and hit close so what I'll do is go back to my dashboard here and remember I set my account Alias as Deep Space 9 but we could also use the account ID to log in I'm just going to grab my account ID off screen here and what I want to do now is go ahead and log out and now log into this I user and this is the one that you should always be using within your 's account you shouldn't be using your root user account so what I'll do is go over to I am user here and notice now that it says account ID so 12 digits or the account Alias so here I can enter in uh these numbers here or I can enter in my Alias which is Deep Space 9 and again you'll have to come up with your own creative uh one there for yourself and we'll go ahead and hit next and so notice what it's going to do is now ask me what my IM username is so I Define mine as Andrew Brown and then uh we had an autogenerated a password there so that we had saw and so I'm going to place that in there we'll go ahead and hit sign in and so now right away it's going to ask me to reset the password so I'm going to put the old password in there and so now I need a new password I strongly recommend that you generate out uh your passwords to be very strong I like to go to password generator and I'll drop this down and I'll do something really long like 48 characters and um if you don't like weird characters you can take those out there sometimes it loads here so you got to try it twice um and I'm going to go down to whoops 48 there we go and so that's pretty darn long so I'm going to copy that off screen here so I do not forget and you probably would want to put this in a password manager something like Dashlane or some sort of thing like that and we'll go ahead and we will paste that in and we'll see whoops I don't want uh Google to save it uh and we'll see if it takes it and so there we go so what I'll do is now log out and I'll make sure my new password works because you really don't want to have problems later so we'll type in Deep Space 9 Andrew Brown again this is going to be based on what your uh what you have set and we'll go ahead and log in and there I am and so now notice there doesn't say um exam Pro or whatever it says Andrew Brown at Deep Space 9 so it's using the county alias and showing the name and that's how I'm going to know whether I'm the root account user or whether I'm logged in as an I am user all right so there we [Music] go okay so now that we have the proper user account to log in I just want to point out uh about regions so in the top right corner you'll notice it says North Virginia here it possibly will say something completely else for you but what you'll do is you'll click and drop that down and you you'll see a big list of regions and so sometimes when I log in ads it likes to default me to U East uh Us East Ohio but I honestly like to launch all my stuff in Us East North Virginia even though I'm in Canada I probably should be using the Canada central region down here um but the default region is going to be based on your locality okay so just understand that it might be different I strongly recommend for um all of our follow alongs you run in Us East one because Us East one is the original um the original region and it also has the most access to Ada services and some Ada Services um such as like billing and and cost and things like that are only going to show up in Us East uh North Virginia so just to make our lives a lot easier we're going to set it there but I want you to understand that some services are Global Services meaning that it doesn't matter what region you're in it's going to default to Global and one example could be cloudfront so if I jump over to cloudfront here for a moment and uh we do seem to have uh some CLR distributions here from a prior uh follow along but notice up here that it now says Global so CLR does not require a region selection let's make our way over to S3 all right and this one's also Global so again this one does not require a region selection but if you go over to something like ec2 okay this has a a region dependency so just be really careful about that because a lot of times you'll be doing a follow along and you'll be like why aren't these resources here or whatever and it's because this got switched on you and it can happen at any time so just be uh cautious or aware of that [Music] okay so one of the major advantages of using ads or any cloud service provider is that it utilizes metered billing so that is different from a fixed cost where you'd say Okay I want a server for x amount of dollars every month but the way us works is that it's going to bill you on the hour on the second based on a bunch of factors and so you're going to be able to get services at a lower cost however if you choose an expensive service and you forget about it or there's misconfiguration where you thought you were launching something that was cost effective but turned out to be very expensive you could end up with a very large Bill very very quickly and so uh that is a major concern for a lot of people utilizing Cloud but there's a lot of great toolings built into adabs to allow you to catch yourself if you happen to make that mistake and before we go ahead and learn how to do that I want to show you uh some place where you could end up having excessive spend without knowing it so one example and this is actually happened to me when I first started using AWS uh before I even knew about all the billing tools is I wanted to launch a reddis instance and so you you just have to watch you don't have to do this but um elasticache is a service that allow you to launch either a mcash or reddis uh database and I just wanted to store a single value and so I went here and I scrolled down it looked all good and I hit create but I wasn't paying attention because apparently itus likes to default the no type here to the cash r6g dolar all right and you know you might think that Abus has your best interest in play and most services are pretty good they they make sure that they're either free or very low spend but some of these and elastic cash is an older service where they just have these weird defaults so um you know if we were to go look up this the RG6 uh large all right and look at it spend all right and we would go over here whoops I think I went to the China One but if we were to go over here and look for that instance I'm just trying to find it here for cost this one down below um this doesn't say pricing does it say our pricing here here it is so this one cost um this one costs about 2 cents per hour it doesn't sound like a lot but if we go here and we do the math we say 730 730 is the amount of hours in a month that is $150 okay so if you don't know about that and forget about that that's going to be $150 and I'm going to tell you that it used to be a lot higher I'm pretty sure they used to have it defaulted to something like like this or that because I remember I did this and I had a bill that came in that was like $3,000 USD and I'm in Canada so like $3,000 USD is like a million dollars up here and so I remember um it was a big concern and I freaked out but that was okay because all I had to do was go to support and what I had done is I went to the support center and I had opened a support case and I just said hey I had this really big bill so you go here right and you look for billing and uh you look for something like charging query or misspend and you say you know um you know like help my bill's too high and you just say like you explain the problem saying hey you know I was using elastic cash and it was set to a large default and I wasn't aware about it can you please give me back the money and the great thing is that ads is going to to give you a free pass if it's your first time where you've had a misspending they generally will say Okay um you know don't do it again and if it happens again you will get build but go ahead and learn how to set up building alerts or things like that okay so just so you know don't freak out if you do have a really high Bill you're going to get a single free pass but now that we know that let's go learn uh how to set up a budget [Music] okay all right so now that we've had a bit of a story about um over spend for misconfiguration let's learn how to protect ourselves against it and we're going to go ahead and set up a budget so go to the top here and type in budget and what that will do is bring us over to the billing dashboard another way to get here is to go click at the top here and go to my billing dashboard and then you'll see the leftand menu here and so the great thing about budgets is that the first two are free it says there is no additional charge for any those budgets you pay for configured us us Mage but I'm pretty sure that that's not true because it used to be ABS budget reports okay so that cost something it used to be that Abus budgets um after success enabled will Ur 10 cents daily so in addition to budget monitor you can add actions to your budgets the first two action enable budgets are free okay so just be aware that just because it says there's no additional charge read into it because sometimes the the Fine Line will tell you it does something but I know that the first two are free what we'll do is go ahead and create a budget just going to close these other tabs here since we have no need for them and we're going to be presented with a bunch of budget types uh we're considered about cost today so we're going to go with a cost budget and notice we can change the period from monthly to daily to quarterly to annually if you change it to daily um you won't get forecasting so I don't want that today but a monthly is pretty good you can have a reoccurring which is strongly recommended and then you can put a fixed cost notice that I already have some spend on this account so it was like 25 bucks last month I'm going to set my uh budget here to $100 and you can add filters here to um uh filter that cost out so if you want to say only for this region or things like that you could do that uh notice that this is my spend over here um so this is my budget and that's the actual cost notice my cost has been going up the last few months because I've been doing things with this account and so what I'll do is say simple budget here we'll hit next and so now it's asking us if we want to configure alerts we probably do so you'd hit ADD alert and then you'd set a threshold like 80% or you could say an absolute value and then You' put in your emails like Andrew exampro doco and I want to point out that this is using um itus SNS or it should be anyway so Amazon SNS has no upfront cost based on your stuff here so even though you're filling out an email you know and maybe it doesn't show it but I'm pretty sure that this would create an SNS topic but what we'll do is hit next here we have an alert so we're just uh reviewing actually this is for attaching any action so maybe we want some kind of follow-up thing to happen here so we say add action and uh requires specific I in permissions on your behalf okay sure so I guess you could follow up actions that's no different than um a building alarm but we're not really worried about that right now now I'm not going to bother with an action and we'll go ahead and create a budget and so here it's going to say that our budget is $100 it's going to show us the amount used forecast amount current budget sometimes this takes time to uh show up so I'm going to hit refresh and see if it shows up yet there we go so notice we have forecast amount $23 current budget Etc forecasted budget uh forecasted versus budget so it's pretty straightforward on how that works um I'm just curious if it actually created an SNS event so I'm going to go over here because a lot of services utilize SNS so if I go over here default Cloud watch alarm um so I think this is something I had created before so I'm going to go ahead and just delete it says default Cloud watch alarms I'm going to just click into here and see what I have confirmed so I think it might have used this when we created it but um the reason I'm bringing up SNS is that there's a lot of services that allow you to uh email yourself for alerts and it always integrates with this service and so I just want kind of want to point that out so that you remember what SNS is for um but yeah so setting up a budget is not too hard so there you [Music] go all right so now that we've set a budget what I want to talk to you about is the free tier and the free tier is something that available to you uh for the first 12 months of a new adus account and allows you to utilize adus services without incurring any cost to you and so it's in your advantage to utilize this free tier um as you are experimenting and learning cloud so if you want to learn about all the offerings what you do is go to Google type in adus free tier and you'll get this page that explains all the sorts of things here so you can get uh 750 hours on ec2 RDS things like that there are stipulations in terms of what it would be so here this is a T2 or T3 micel mic uh micro running Linux Red Hat um or other type of os's okay so there are uh details you have to read the fine print some services are only available for the first two months things like that so it's going to highly vary based on service but it's worth giving this a read in areas that you are interested in now the thing is is how do you know that you are still in the free tier or you go outside of it and that's what I want to talk to you about right now so I am actually in another adist account so notice in the top right corner it says brown. laap or hyphen laptop exampro doco sometimes I will switch into different AIS accounts during these follow alongs so I can best show you um you know the settings so if you make your way over to billing and actually I should show you up here if we go to my dealing B dashboard just trying to be consistent here and you go to the left- hand side to billing preferences what you can do is enable receive free tier usage alerts and then put your email in there and save that and so turn on this feature to receive email alerts when your adus service usage is approaching or deleted data was free tier usage limits if you wish to receive these alerts etc etc etc right and while you're there I want you to also checkbox receive billing alerts so I can show you how to set a bing uh a billing alert and ITA says you know budgets are a new thing but billing alerts are still something that we use as of today so if you checkbox that on we'll be able to see your cost if we go back here uh it should show you um it's because I'm out of the free tier on this account but but it would show you in the alerts you know your usage there so example here is if we scroll down this is the documentation tracking your a free tier usage you would see like a box like this and would say hey your free tier usage limit is here and you're over it okay so that generally would show up on this panel here but again I'm outside of the free tier so I'm not seeing it here um today okay so you know hopefully that is clear um but yeah there you go [Music] all right so we created ourselves a budget we're monitoring our free tier but there's another way that we can monitor our spend and that is through building alerts or alarms and it is the old way before uh we had abis budgets this was the only way you could do it but I still recommend it because there is a bit more flexibility here with this service and so I wanted to teach you early on so that you know it's available to you or if you want to play around with it in the future so what you'll do is go to the top here and type in cloudwatch and cloudwatch is one of those Services where it's actually a collection of services so there's cloudwatch alarms cloudwatch logs cloudwatch metrics those are all Individual Services and aabus loves to update their interface so sometimes you'll be presented with this option to uh change the latest interface I'm going to try out the new interface here um and that is one challenge with datab is you always have to expect that they're going to change the UI on you and you're going have to work through it so just understand that I try to keep my videos up toate as best I can but part of the challenge is getting used to that so this is what they have today I don't know if they're going to stick with this but this is what it looks like but what I want you to do is make your way over to alarms on the left hand side and notice that we actually have a section just for billing which is interesting I don't remember them having that before so it's new so uh here it says it was cloudwatch help can help you monitor the charges of Bill remember that we had to turn that on get 10 free alarms with 1,000 free email notifications each month as part of the free tier so understand that if you create billing LS they do cost money um as well if you go over that limit but you sure get a lot 10 free alarms is quite a bit what we'll do is go ahead here and create ourselves alarm we are going to go and choose a metric and so here are the options we could choose from and so we I think would like um billing and see we can do buy service or total estimated charge we're going to do a total estimated charge we can only select USD I've never seen any other currency ever there and so here we kind of get this little graph where we can see stuff um but this is a lot more powerful than budgets because you can do anomaly detection uh so like here it will actually check base between a range as opposed to just going through a particular value but what I'll do is just set a value here like uh $50 right so notice that it sets the line up here and this is my current spend here right and so back to anomaly detection this is a lot smarter so so uh the idea is that if something is outside this band of a certain amounts um then it would alert okay but I'm going to go back here I'm just going to set this to $50 and that looks okay to me you can change the period 6 hours is fine um and there's additional configuration that's fine as well we're going to go ahead and hit next uh and so the idea is that um you know if it passes that red line it will go to an in alarm State and then what it will do is uh we want to uh have it to trigger an SNS topic so I would generally just create a new one here we'll just say my billing alarm Okay and then here we'll just set the email Andre exam pro. and we'll go ahead and create that topic and so that is now set I don't know if it would uh confirm it we might have to go to our email to confirm it so notice it says pending confirmation so what it has done is it sent me out an email and it wants me to click that link to confirm term um that I want to subscribe to it so I might just do that off screen to show you here okay so I'm just going to pull up my email here just give me a moment okay and so if I come back here this is the email that came in so I'm just going to confirm that subscription says I'm confirmed good and if I refresh this page we can now see that that that is confirmed all right so we'll scroll down here so we can uh trigger an auto scaling AC so maybe you know if you have too many servers you say hey the cost is too much shut down those servers there's ec2 actions things like that so these are kind of similar to um budgets right there's system manager actions I imagine all these things are available in budgets as well but budgets just makes it a little bit easier to look at so I'm going just say my simple building alarm here we'll hit next all right we'll hit create alarm and there you go so bilding alarms don't have like four forecasting and things like that um but you know they are they do have their own kind of special utility and so I utilize both okay so there we go we'll just go back to our Management console and move on to the next [Music] one so one of the strongest recommendations that adus gives you is to say to set MFA on your adus root user account so that's something we're going to do right now so make sure you're logged into the root user account so I'm going to go log out as my IM user I'm going to go back and log in and I'm going to log in as my uh root user here so to do that no sometimes it will be expanded as the I am user click and sign into root user here we'll have root user I'm going to go ahead and enter my email that I used and if you do switch accounts frequently they will ask you these silly captures which drive me crazy but uh you know it happens you probably won't encounter it as much as I do and so I'm going to go ahead and grab my password here and paste it on in and so now that I'm in what I want to do is make my way over to am and I'm going to go and look for users actually sorry just right here add an MFA root user we're going to go ahead and hit add MFA all right and so that's going to bring us to this screen and so here we can activate our MFA and so we have a few options here so we have virtual MFA device u2f security key other Hardware like a uh J galto token so you know I generally use this because I have a security key and I want to show you what I'm talking about so this is how I log into my machine or my ad account this is a security key an UB key that sits on my desk I tape it so it doesn't fall fall off the cord but the idea is that when I log in I have to press this little button here to double confirm before I get into my account uh but if you don't have a security key you can just use a virtual MFA and all that means is you're going to um use something on your phone to log in so we'll click continue here and so it says install a compatible app on your mobile phone or device and so if you click and open this what it will do is tell you about some things that you can use um so if we scroll down to Virtual here they suggest uh if you have Android iPhone so aie dual mobile last path Microsoft authenticator Google Authenticator so Google Authenticator Microsoft authenticator and a here I have all those three installed um honestly aie has the the nicest simplest um UI but I'm using Microsoft authentic authenticator quite a bit so anyway whichever you want to do it's fine but what we'll have to do is go back here and then it says use your virtual MFA app on your device camera to scan your QR code so once you have one of those apps installed like aie or whatever one you want what you're going to do is open up the application and I can't tell you exactly where it is but you'll have to hit add account in your in your app and then from there it will ask you to scan your QR code and so uh once you're ready you hit show The QR code you hit scan the QR code on your phone I'm holding my phone up to my my um uh my computer screen here and it's going to find it and I'm just going to take a moment here to rename the account so I can tell what it is so I'm just naming it a WS sandbox because that's what I call this account and I'm going to go ahead and save that and so now what I can do is enter uh two consecutive MFA codes now this always confuses me what they wanted here but the idea is that you're going to see one code right whatever is on the screen right now so I'm going to type in it it says 734 051 and I'm going to wait until the new code shows up so there's like a timer in all these apps and they go across the screen or they countdown and so you have to wait for that to happen and so I'm just going to wait here a little bit and once I get the new number here this one is 07153 0 I'm going to hit assign MFA and there we go and I can't tell you how many times I like mess that up because I didn't understand the consecutive numbers but you're just waiting for uh the number that's on the screen to entered in and then enter the next one in to turn on MFA and so now your account is protected and every time you log in you're going to have to enter in MFA so let's log out and see what that looks like so we'll go ahead and sign in and uh again we'll put in our root user account here we'll type in 74m 32t submit and I need to go grab my password so that's in my password manager just give me a moment here and now it wants the MFA code so this is in my phone and so I'm going to go enter it in so this one says 475 841 all right we'll hit submit okay and there we go so that's going to happen every single time we want to log in uh I'm going to tell you that if you get one of these they're so much easier to use because you just press the button okay so that's why I have this because I cannot stand entering the code in time and time again um but you know those are your options there [Music] okay hey this is Andrew Brown from exam Pro and we're looking at the concept of innovation waves so when we're talking about Innovation waves we're talking about contracta or k waves which are hypothesized cyclik phenomena in the global World economy and the phenomenon is closely connected with technology life cycles so here is an example where each wave is irreversibly changes the society on a global scale and if you look across the top we can kind of see what they're talking about so we have steam engine cotton uh rail way in steel electric engineering chemistry petrol chemicals automobiles information technology and so the idea is that uh Cloud technology is the latest wave and I'm not sure if you'd fit web 3 in there as well ml AI but maybe they're all part of the same wave or they're separate waves but generally they're broken up based on this prde here where it says perspective recession depression and movement uh Improvement sorry and so this is the common pattern of wave we see a change of supply and demand and so if we're seeing this we know that we are in a wave and where we are in a wave [Music] okay hey this is Andrew Brown from exam Pro and we are looking at the concept of a burning platform so burning platform is a term used when a company abandons old technology for new technology with the uncertainty of success and can be motivated by fear that the organization's future surv uh survival hinges on digital transformation and just to kind of give you visualization here is a Lal burning platform so imagine you have to jump to it jump from it to make a change so um you know burning platform could be you know stop using on-prem and start using cloud or maybe it going from Cloud to web 3 um and that's generally the idea when we talk about a burning [Music] platform so I just want to quickly show you that digital transformation checklist that I mentioned and the way you can get to it is by typing in digital transformation AWS and so it should bring you to the public sector page and here it is so we click there and all it is is a PDF uh so it's not new it's from 2017 but that doesn't mean that it's not uh valid anymore uh it's just that that's when it was made so we scroll on down and we can see transforming vision and so we have a checklist there so if we click into this uh we can see things like communicate a vision of what success looks like Define a clear governance strategy including the framework of achieving goals uh build a cross functional team identify Tech technical uh Partners they talk about Shifting the culture and then down below I assume that this one is related to that one it's unusual because you know they just have a checklist here but then they have a sub checklist which must be clear to that so reorganize staff into smaller teams things like that so it's not super complicated you'll see each category go go Cloud native they'll have a checklist um you know and if you are at at the executive level or the sales level or trying to convince your VPS or stuff like that give this a it might give you something uh useful in the end uh to help better communicate that transformation for you [Music] okay hey this is Andrew Brown from exam Pro and we are looking at the evolution of computing power so what is computing power it's the throughput measured at which a computer complete computational tasks and so uh what we're pretty much used to right as of these days is general computing so a good example here would be a zeeon CPU processor that's more of a high-end processor not something you'd find your home computer but when we're talking about data centers specifically uh um you know inabus data centers Zeon CPU processors or what you're going to come across uh then came along a new type of compute which is GPU Computing um when we're talking about Google uh Cloud they have tensor Computing and so this is where I get the 50 times faster based on that metric and so I didn't have an exact metric here for AWS uh um solution for this mid-tier of computing power so I just that 50 times there but the idea is that GPU Computing or tensor Computing uh is is 50 times faster than traditional CPU and generally that's going to be used for uh very specialized tasks when you're doing machine learning or AI so it's not something you're going to uh be doing for your regular uh web workloads but just understand that all of these uh fits so we're not getting rid of general computing we're just adding uh new levels to compute then there's the latest which is uh Quantum computing and so here we have an example of the rig retti 16q Aspen 4 and so it literally looks like it's out of um science fiction and this thing is like a 100 million times faster it is super Cutting Edge and we don't even know exactly how it works and there's not even anything that's very applicable that we can use this for but the idea is that we're not done with the evolution of of computing power things are going to get a lot faster once we solve this last one here and so ad service offering here would be for general computing you're looking elastic compute Cloud You2 so we have a variety of different uh instance types and they're all going to have different types of Hardware with different types of general computing um for GPU Computing this is a specialized chip that adus has produced called the adus um and I don't know how to say it but we'll just abbreviate it to infer so adus infer chip um and this was designed as a direct competitor to uh gcps uh tensor computing uh unit the T TPU um and so this is intended for AI ml workloads but it works with not just um tensor flow but it works with any machine learning framework so that is one advantage it has over uh tpus um and then the last one here is adus bracket so you can actually use quantum Computing as a service on adus you uh as of even today um the way adus is able to do this is they work with Caltech so that's the California technology um University or Institute I'm sure the name of it there um so it's not exactly adus producing this but adus is doing this as a partnership to give Quantum Computing accessible to you okay so I'm here in the Abus console because I just want to prove to you that you can use quantum Computing on AWS it's that accessible so all you'd have to do is go to the top here type in bracket uh and then you make it over to Amazon bracket and so here uh you can like set up Quantum tasks the first time you set it up you got to go through this process here um and I think I have to go through this onboarding to be able to show you the next steps so I'm going to go ahead and enable bracket in this Abus account okay and I'm not going to launch anything I'm just going to try just kind of show you a little bit of what is accessible to you because it's not super exciting but the fact that you can do it is kind of interesting so here I am on the inside here and we have all these different types of quantum Computing so d-wave I know I I NQ retti things like that and then down below these are the quantum processing units the qpu and then down below you have the simulator so you can kind of simulate uh these things here um so I think that's kind of interesting uh but in terms of the cost like if you scroll on down here um so AB bracket is part of the was free tier it gives you one free hour of quantum circuit simulation time per month during the first 12 months so it's free to do uh a circuit simulation but if you actually want to run it on the actual Hardware you can see the cost there's the per task price the per shot price things like that uh what could you do with this I don't know there's things called like quad bits or something like that and I can't imagine that you're going to be doing anything useful but I think it's just more so like you are sending out quad bits or whatever they are and you're observing them um but what you could do with them I have no idea but it's just exciting that you can do that I didn't have any spend just by activating that I'm just kind of just showing you there okay [Music] hey this is Andrew Brown from exam Pro and we are looking at the benefits of cloud and this is a summary of reasons why an organization would uh consider adopting or migrating to utilizing public cloud and so we'll quickly go through the list here uh because in the followup slides we actually go into them a bit more detailed so we have agility page a go economy of scale Global reach security reliability High availability scalability um um and elasticity so the thing is is that eight of us had this before it was called the six advantages of cloud but they have reworked it to include additional items um and so where you see these uh sub bullets here those are the original six as you see 1 2 3 4 five six and so I kind of just put them where they kind of uh fall under the new categories there and you'll notice that aist has included High availability elasticity reliability and security as uh new ones here okay and so the thing is is that um I have always always even in my original uh I think in my original cloud practitioner had Cloud architecture as a separate section and included all these things in here so it's a great thing to see that abis has included it um but in terms of how I organized this course we're not going to cover them in this section because I have the cloud architecture section so just understand that we will come to those eventually and I would just say that adus is still missing something on this list which is fault tolerance so you know my list looks like this except I would add fault tolerance to it so you have everything there um and Disaster Recovery okay so the benefits of cloud is a reworking expansion of the six advantages of the cloud and we will look at the original six advantages um and then look at another one that is more of a generalized one that I I've used across my courses so that we fully understand the benefits [Music] okay all right let's take a look here at these six advantages to Cloud defined by AWS and so these are still uh part of aws's marketing Pages um but you know it's interesting because you can't find the benefits of the cloud in a single page on any at least at the time of making this so there's a bit of Disconnect between the um exam guide and the actual marketing material but that's okay I fill it all in for you so you know I'm just again noting that the six advantage of cloud was the original description for cloud benefits and we'll go through them okay so the first is trade Capital expense for variable variable expense so you can pay on demand meaning that there is no upfront cost and you pay for only what you consume or you pay by the hour minutes or second so instead of paying for upfront costs of data centers and servers the next is benefit from uh massive Eon uh uh economies of scale so you are sharing the cost with other customers to get unbeatable savings hundreds of thousands of customers utilizing a fraction of a server stop guessing capacity so scale up or down to meet the current needs launch and Destroy Services whenever so instead of of paying for idle or underutilized servers we have increased Speed and Agility so launch resources within a few clicks and minutes instead of waiting days or weeks of your it to implement the solution on premise we have stopped spending money on running and maintaining data centers so focus on your customers developing and configuring applications so instead of operations such as racking stacking and powering servers the last is Go Global in minutes so deploy your app in multiple regions around the world with a few clicks provide load latency and a better experience for your customers at minimal cost the six advantage of cloud still apply and um I like to include them here because they just have a different kind of a lens or or or angle when you're looking at this stuff and so we've looked at the six advantages of cloud and now let's take a look at the next slide my reworking of the six advantage of the cloud to be more generalized [Music] okay all right I just wanted to show you where that six advantages of cloud computing comes from it's part of IIs documentation so I typed it in here and you can see that it is still around uh and so it's unusual because this used to be part of the marketing website it had those nice little Graphics um but for whatever reason it's over here now in the overview of Amazon web services and by the way if you're starting starting out with ads this is a very light read but it is a good read uh to get started with we obviously cover all this stuff in the course um but you know maybe you'll get something different here but the idea is that IUS has definitely expanded on this but for whatever reason this documentation hasn't changed so just understand that I've polyfilled that for you in this course [Music] okay all right so this is the seven advantages to Cloud I said six but I meant to say seven and so um you know since I've created fundamental courses for all the clouds providers I started to notice kind of a trend and so what I did is I normalized it into my own seven advantages and this actually Maps up really well to the new benefits of the cloud so it looks like itus was thinking the same as I was um with the exception of those Cloud architect stuff which I keep in a separate section but let's go through it and see what is here so the first is cost effective you pay for what you consume no upfront cost on demand pricing so pay as you go PA YG with thousands of customers sharing the on uh sharing the cost of resources adus used to refer to this always as on demand pricing and Azure always said pay as you go and so it looks like adus now uses both on demand and page you go to describe them which is great um but there you go then we have Global so launch workloads anywhere in the world just choose a region it's secure so cloud provider takes care of physical security cloud services can be secured by default or you have the ability to configure access down to a granular level uh it's reliable so data backup Disaster Recovery data replication fault tolerance it's scalable increase or decrease resources and services based on demand uh elastic so automate scaling during spikes and drop in demand current so the underlying hardware and and managed uh software is patched upgraded and replaced by the cloud provider without interruption to you so I think this is one that isn't on the benefits of the cloud which is a really good one um but uh yeah that's the [Music] seven hey this is Angie Brown and we're taking a look at adus Global infrastructure so what is it well the adus global infrastructure is a globally distributed hardware and data centers that are physically networked together to act as one large resource for the end customers so what does that mean well if you look at the globe on the right hand side and that Globe is really cool because adab us used to have a website where you could uh see a 3D uh globe and see where all their resources are for whatever reason they took it down but I still have the screenshot of it but the idea is that um the global infrastructure represents all that hardware and the connectivity between that Hardware around the world so what kind of resources are we talking about we're talking about regions we're talking about availability zones direct connections uh pops also known as point of presence local zones wavelength zones uh and we should point out that Abus has millions of active users uh or customers and tens of thousands of Partners globally so they really are uh kind of everywhere um and if you're wondering well what are all these resources that's what we're going to get into next we're going to break down uh what all these particular resources are because you definitely need to know what they are but hopefully that gives you at a high level that adus has this thing called Global infrastructure [Music] okay hey this is Andrew Brown and we are on the marketing website for adabs under Global infrastructure and this is a great way if you want to explore more and make sense of that Global infrastructure so we scroll on down here we have a nice map and it's kind of indicating as to where those regions are notice that there is uh ones in red which are coming soon the Canada West they've been talking about that for I think a couple years now so still waiting for those but you know just like every CL provider they're always expanding looks like we can get a full list here um and it should indicate where uh when they launched and if they're launching more things so you know that is a nice little list uh that we can get access to but if we go all the way to the top across the top we can go to Regions and azs uh and this is where we should get better information this is definitely different from before and I don't think the top of candidate is supposed to look like that but uh I guess it's the best that they can do so uh what I want to point out on these pages is uh the terms of uh the number of resources so I'm just going to bump up the font because it's a little bit small even for me if we go on down below here you can see that it's describing um let's say a particular region so here in Canada we can see uh we have three availability zones and when it launched sometimes they have these Asters on here so it says located in the Montreal uh metropolian area so that's a good indicator because central Canada could mean Toronto could mean Winnipeg so that's why they put the asterisk on there um but just notice that what you'll usually see for availability zones you'll never see anything beyond six I'm not sure why but that seems to be the max usually when a region launches it should have three availab availability zones I think in the past there might have been some that did not have um at least three and the reason why it's important to have three in a zone is that is how we get high availability uh the way you do that is you should have um let's say we're talking about compute that compute should be um running redundantly into other data centers in your region to ensure um that you have up time in case the other two go out so just make note of that if you're coming from Azure Azure uh will launch things without having all of their uh zones uh gcp is really good where they'll always at least have three so uh each provider Works a little bit differently there um but yeah you can see here for North America we just scroll through here you can find your particular area and look at the map uh and wonder why it's so distorted but yeah hopefully that gives you kind of an idea there and if you want to explore any of these other uh particular offerings you absolutely can of course we do cover in the course so it's not really necessary to do that but I thought uh it'd be nice to show you this page okay [Music] ciao hey this is Andrew Brown from exam Pro and we are taking a look at a regions and regions are geographically distinct locations consisting of one or more availability Zone and so here is a world map showing you all the regions that AOS has in the world and the blue ones represent regions that are already available to you and the orange ones represent ones that adus is planning to open so adus is always expanding their infrastructure uh in the world so always expect there to be uh more upcoming ones every region is physically isolated from independent of every other region in terms of location Power and Water Supply and the most important region that you should give attention to Is Us East one uh in particular so this is Northern Virginia it was in's first region where we saw the launch of sqs and S3 uh and there are a lot of special use cases where things only work in Us East ones and we'll find that out here in a moment what I do want to show you is what it looks like for an architectural diagram when you are seeing a region so notice that we have this um uh little flag here it says Us East one US West one and inside of it we have an E2 instance so that is going to represent a region in our architectural diagrams uh but let's look at some of the facts here and under understand why Us East or Us East one is so important so each region generally has three availability zones and that is by intention and we will talk about that when we get to the availability Zone section some new users are limited to two or uh to two uh but generally there's always three okay new Services almost always become available first in Us East and specifically Us East one not all services are available in all regions all your billing information appears in us east1 so that's a US east1 particular thing uh the cost of AD services vary per region and so if you were on the marketing website or uh for Global infrastructure you can see uh here in North America they will say like when it launched how many availability zones and there might be some conditions so you'll notice there's like Aster uh beside these things here or um in this one particular there's an aster saying hey there are three zones but generally you're limited to two Okay when you choose a region there are four factors you need to consider uh what are the Regulatory Compliance does this region meet what is the cost of this Ina service in this region what Ina services are available in this region and what is the dist distance or latency to my end users and those are those four factors that you should remember [Music] okay all right so we just talked about adus regions now let's talk about uh how that affects our services versus regional and Global Services so Regional services are scoped based on what is set in the adus Management console on the selected region so you have this drop down and that's what you'll do you'll say Okay I want to have resources in Canada or in Europe uh so this will determine where an ad service will be launched and what will be seen within the ad Services console you generally don't explicitly set the region for a service at the time of creation I explicitly mentioned this because when you use something like gcp or Azure when you create the resource that's when you select the region but ads is it has this kind of global thing which is unique to their platform um then there's the concept of Global Services so some a Services operate across multiple regions and the region will be fixed to the word Global and for these that's services like S3 cloudfront R 53 I am so the idea is if you were to go over to cloudfront and go into the cloudfront console you'll notice that it will just say Global and you can't switch out of that uh for these Global Services um at the time of creation it's a bit different so we were saying up here for regional ones that you don't select the region but when you are clearing Global Services if you're using something like I there is no concept of region because they're just globally available so you don't have to determine a subset of regions if you're using S3 bucket that has to be in one region so you actually do have to select a region at time of creation um and then there's something like Cloud distributions where you were choosing a group of regions so you either say all of the world or only North America which is more like geographic distribution so you don't say the region in particular but you know hopefully that gives you a distinction between Regional services and Global Services [Music] hey this is Andrew Brown from exam Pro and we are taking a look at availability zones so availability zones commonly abbreviated as AZ and I'll frequently use be using the term AZ is physical locations made up of one or more data centers so a data center is a secured building that contains hundreds or thousands of computers uh and this is one of my favorite Graphics I like to show of course uh you know ads would never have a dog um in their data center but I just thought that would be fun a region will generally contain three availability zones and I say generally because there are some cases where we will see uh less than three so there might be two um data centers within a region will be isolated from each other um so there will be in different buildings but they will be close enough to provide low latency and that is within the uh 10 milliseconds or less so it's very very low uh it's common practice to run workloads in at least three azs to ensure Services remain available in case one or two data centers fail and this is known as high availability and this generally is driven based on Regulatory Compliance so a lot of companies uh you know they have to at least be running in three azs and that's why iTab us tries to always have at least three azs within a region uh azs are represented by a region code followed by a letter so here you know you'd have us east1 which would be the region and then the a would represent the particular availability Zone in that region um so a subnet which is related to a a ability zones is associated with uh two availability zones so you never choose an a when launching resources you always choose a subnet which is then Associated to an AZ a lot of services um you know don't even require you to choose a subnet because they're fully managed by AWS but in the case of like virtual machines you're always choosing a subnet okay so here is a graphical uh representation or a diagram that's representing two availability zones so here we have the region Us East one and Us West 2 and then we have our two azs so here is 1 a and one b and so these are effectively the subnets okay and so within those subnets then you can see or availability zones you will see that we have uh two virtual machines okay so the US east1 region has six azs and I thought that's just kind of like a fun fact because it is the most out of every single one um I don't think any one comes close to us East one but of course it is the most popular it is the uh first uh um region or so it's not a surprise that that one has that many [Music] a okay so we just covered regions and availability zones but I really want to make it clear uh what they look like so I kind of have a visual representation so let's say we have our adus region and in this particular one we have Canada Central which in particular is Montreal so CA Central one uh and the idea here is that a region has multiple availability zones so here you can see that we have uh 1 a 1 B and 1 D for some reason adus decided to uh not launch 1 C maybe it's haunted who knows you know um and then within your um availability zones they are made up of one or more data center so just understand that an a is not a single data center but could be a collection of buildings and that these azs um are interconnected with high bandwidth low latency networking they're fully redundant dedicated to metrof fiber providing High throughput latency networking between so just very fast Connections in between and all traffic between azs is encrypted and these azs are within 100 km so about 60 miles uh of each other [Music] okay so what I want to do here is just show you uh how regions and availability zones work with some different adus services so you have a general idea when you are selecting a region or a and when you're not so Within when you want to select a region you're going to go up here and change it and this is going to apply to Regional Services a very famous example of a regional service would be ec2 so we go over to ec2 which is elastic uh cloud computing or compute whatever always forget the name of it and what we can do is go over to instances I'm going to launch an instance I'm not going to complete the process I just want to show you what would happen when you go select some things here so I'm going to go with Amazon LX 2 um we're going to just go to uh next here and so here is where we're going to select um our availability zone so up here we have North Virginia that's our region and when I say we're selecting availability Zone we're actually selecting the subnet so so here we are choosing a subnet and a subnet is associated to a availability Zone and every single um region has a default VPC and that VPC has uh subnets set up and the subnets are defaulted to each of the availability zones available so us east1 has six of them so this server is going to launch in Us East 1B so this is a regional service okay uh then we have Global Services like S3 so we go over to S3 and it says it's Global right and so we're going to go ahead and create our bucket and so here we choose the region so we go down we're going to say the region we want to be in but we don't choose the availability Zone because there's nothing to um uh choose because adabs is going to run these in a multiple A's and it doesn't matter to you what it's doing there okay um so there's that and then there's something like cloudfront so cloudfronts a little bit uh different here so we go over to cloudfront and we create ourselves a distribution um and so yeah if if you don't have that option there because sometimes databus has like a splash screen just click on the left hand side then go to distributions okay okay and so here well they changed it again on me they're always changing this UI but if we scroll on down it should allow us to change um change where this is going to launch it's like Global stuff like that literally they just recently changed this and that's why I'm confused uh we'll scroll on down here it used to be maybe it's under Legacy additional customized oh it's here sorry okay so notice here the price class that says use the edge locations for best performance North America and Europe North America Europe Asia middle uh Middle East and Africa so we're not choosing a particular region we're picking a geographical area and so those are pretty much the major um uh uh examples of that uh then there's of course things like an IM am where you don't even say where it is so you go into IM am you know and if I create something like a group uh over here a user group whoops here I say create group you know I'm not saying oh this is for this particular region or something like that okay so yeah hopefully that makes [Music] sense hey this is Andrew Brown from exam Pro and let's take a look here at fault tolerance specifically for Global infrastructure and so before we jump into that let's just Define some fault terminology here so let's describe what a fault domain is so a fault domain is a section of a network that is vulnerable to damage if a critical device or system fails and the purpose of a fault domain is that if a failure occurs it will not Cascade outside that domain limiting the possible damage and so uh there's this very popular meme called This is fine where uh there's obviously a serious problem but uh the person's not freaking out and I gave it some context to say well the reason they're not freaking out because they know that is a fault domain and nothing outside of this room is going to be affected okay so you can have fault domains nested inside of other fault domains uh but generally they're grouped in something called fault level so a fault level is a collection of fault domains um and the scoping of a fault domain could be something like a specific specific servers in a rack an entire Rack in a data center an entire room in a data center the entire Data Center building and it's really up to the cloud service provider to define those boundaries of a domain adus abstracts it all way so you don't have to think about it but just to compare it against something else when you're using azure you actually Define your fault domain so you might say like okay uh make sure that this workload is never running on the same VM on the same rack for these things uh and you know you might like to have that level of control but I really like the fact that Abus just abstracts it away I'm not sure how they segment their uh their their fault domains but they they definitely are some broader ones which we'll describe right now so when we're looking at an abis region this would be considered a fault level and then within that fault level you would have your uh availability zones and these would be considered fault domains and of course those data centers can have uh fault domains within them okay like maybe you know they have everything in a particular room and that room is secure so like if there's a fire in that room it's not going to affect the other room things like that um so each Amazon region is designed to be completely isolated from the other Amazon region they uh they achieve this with the greatest possible fault tolerance and stability uh each availab availability zone is also isolated but the availability Zone in a region are connected through low latency links each availability zone is designed as an independent failure Zone and so here we have uh some kind of different language that adus is using um I've never experienced this terminology in other any other cloud service provider so I kind of feel like it's something that ad made up but basically a failure Zone they're just basically saying a fault domain but let's kind of expand on their fault uh failure Zone terminology so availability zones are physically separated within a typical Metropolitan region and are located in lower risk uh flood planes discreet uninterruptible power supply so UPS and an on-site backup uh generation facilities uh Data Centers located in different azs are uh designed to be supplied by independent substations to reduce the risk of an event on the power grid impacting more than one availability Zone availability zones are all redundantly connected to multiple tier one Transit providers and we'll talk about what those are uh in an upcoming slide and just one thing I want to note here is that when you adopt multi-az you get high availability so if an application is partitioned across A's companies are better isolated and protected from issues such as power outages lightning strikes tornadoes earthquakes and more so that's the idea behind you know why we want to run in multi-az okay because of these fault [Music] domains hey this is Andrew Brown from exam Pro and we're talking about the ad Global Network so the global Network represents interconnections between a global infrastructure and and it's commonly referred to as the backbone of AWS so is ec2 so just understand that that could be used in more than one way but think of it as a private Expressway where things can move fast between data centers and uh one thing that is utilized a lot to get data in and out of AWS very quickly is Edge locations they can act as on and off ramps uh to the AWS Global Network of course you can uh get to the network through pops which we'll talk about um you know in the upcoming slides here but let's just talk about Edge locations and what services use them so uh when we're talking about things that are getting on to the adus network we're looking at things like Abus Global accelerator adus S3 transfer acceleration and so uh these use agile locations as an on-ramp to quickly reach a resources in other regions by traversing the fast adus Global Network notice that the names in it say accelerator acceleration so the idea is that they are moving really fast okay on the other side when we talk about like an offramp we're looking at Amazon cloudfront which is a Content distribution Network this uses Edge locations to uh as an offramp to provide at the edge storage and compute near the end user uh and one other thing that is kind of always utilized in the global Network are VPC endpoints now these aren't using Edge locations but the idea here is that this ensures your resources stay within the Aus Network and do not Traverse over the public internet so you know if you have uh you know a resource running in Us East one and one in uh EU it would and they never have to go to the Internet it would make sense to always enforce it to stay within Theus Network cuz it's going to be a lot faster so there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at point of presence also known as Pop and this is an intermediate location between an ads region and the end user and this location could be a data center or a collection of Hardware so for AWS a point of presence is a data center owned by AWS or trusted partner that is utilized by AWS Services related for content delivery or expediated upload so a pop resource could be something like an edge location or Regional Edge cache so as an example over here we see an S3 bucket and it has to go through Regional Edge cache and then get to an edge location let's go Define what those are so an edge location are data centers that hold cach copies on the most popular files so web pages images and videos so that the delivery of the distance to the end users are reduced then you have Regional Edge locations and these are data centers that hold much larger caches of less popular files to reduce a full round trip and also to reduce the cost of transfer [Music] fees so to kind of help put pops more in presence just in the general sense here is a diagram I got from Wikipedia that kind of just shows a bunch of different networks and notice where the pop is it's on the edge or the intersection of uh two networks so here you know we have um you know tier three and then this tier two and there's this pop that is in between them okay so tier one networks is a network that can reach every other network on the internet without purchasing IP transit or paying for peering and so the anabis availability zones or azs are all redundantly connected to multiple tier one Transit providers [Music] okay all right so let's take a look at somea services that are utilizing pops or Edge locations for Content delivery or expediated upload so Amazon on cloudfront is a Content delivery network service and the idea here is you point your website to cloudfront so that it will route requests to the nearest Edge location cache it's going to allow you to choose an origin so that could be a web server or storage that'll be the source of the cache and cach is the content of what origin would return to various Edge locations around the world then you have Amazon S3 transfer acceleration this allows you to generate a special URL that can be used by the end users to upload files to a nearby Edge location once a file is uploaded to an edge location it can move much faster within the adus network to reach S3 then at the end here you have adus Global accelerator you can find the optimal path from the end user to your web servers so Global accelerators are deployed within Edge location so you send user traffic to an edge location instead of directly to your web application this service is really really great for if let's say you are running a web server in Us East one and you just don't have the time uh to set up infrastructure in other regions you turn this on and you basically get a booster [Music] okay hey this is Andrew Brown from exam Pro and let's take a look at it was direct connect so this is a private or dedicated connection between your data center office collocation and AWS and so the idea here is imagine if you had a fiber optic cable running from your uh data center all the way to your ads so that it feels like uh when you're using your stuff on your data center like your local virtual machines that uh there's like next tendo latency okay so Direct Connect has two very fast network connection options we have the lower bandwidth which is at 50 to 500 megabytes per second and then you have the higher bandwidth which is 1 GB to 10 GB per second so using Direct Connect helps reduce Network cost increase bandwidth throughput so great for hight trffic networks provides a more consistent Network experience than a typical internet based connection so reliable and secure um I do want to point out the term collocation if you never heard of that before a collocation or a carrier hotel is a data center where equipment space and bandwidth are available for rental uh to retail customers and I do want to also point out that even though it says private up here and this is the language that AWS used I usually just say dedicated but the connection is private but that doesn't necessarily mean it's secure okay so uh we'll talk about that when we reach ads vpns and how we can use that with direct connect to make sure our connections are secure [Music] okay all right so let's take a look at what a direct connect location is so a direct connect location are trusted partner data centers that you can establish a dedicated highspeed low latency connection from your on premise to AWS so an example of a partner data center would be one like here in Toronto the Allied data center so you can tell that's right down in uh the Toronto Center and so you would use this uh uh as part of direct connect service to order and establish a connection okay [Music] hey this is Andrew Brown from exam Pro and we are taking a look at local zones which are Data Centers located very close to densely populated areas to provide single-digit millisecond low latency performance so think like 7even milliseconds for that area so here is a map of uh local zones that exist and ones that are coming out I believe the orange ones are probably ones that are on their way and so to use a local Zone you do need to opt in so you got to go talk to AWS probably open a support ticket to get access to it the first one to ever be launched was uh the LA one uh and so um you know when you want to see it it looks just like a an availability Zone it's going to show up under whatever region that is because these are always tied to existing regions so the la1 is tied to us West uh region and the a would look like us West 2 hyphen LAX hyphen 1 a okay so only specific AA Services have been made available so there's particular ec2 types EBS Amazon FSX application load balancer Amon VPC they probably have extended it to more services do you need to know that for the exam no but you know the point is is that there's a limited subset of things that are available the purpose of local zone is to support highly demanding applications sensitive delcy so media and entertainment electronic design and automation adte machine learning so it kind of makes sense like you look at La they're in the media entertainment and so they're dealing with lots of media content so it has to be really low for them okay hey this is Andrew Brown from exam Pro and we are taking a look at Abus wavelength zones and these allow for Edge Computing on the 5G networks and applications will have ultra low latency being as close as possible to the users so Abus has partnered with various telecom companies to utilize their 5G networks so we're looking at Verizon vone kddi SK Telecom and so the idea here is that you will create a subnet tied to a wavelength Zone and then and just think of it as an availability Zone but it's a wavelength Zone and then you can launch your VMS to the edge of the targeted 5G Network so that's the network you're using uh AWS to uh deploy an ec2 instance and then when users uh connect to you know those radio tower those um the cell towers they're going to be routed to um you know nearby hardware that is running those virtual machines okay and that's all it is it's just it's just uh ec2 instances um but you know the advantage here is that it's like super super low Lane SE [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at data residency so this is the physical or geographical location of where an organization or Cloud resources reside and then you have the concept of comp uh compliance boundaries so a Regulatory Compliance so legal requirement by government or organization that describes where data and Cloud resources are allowed to reside and then you have the idea of data sovereignty so data sovereignty is the jurisdictional control or legal Authority that can be asserted over data because its physical location is within a uh jurisdictional boundary and so the reason we care about this stuff is that if we want to work with the Canadian government or the US government and they're like hey you got to make sure that you know if you want to work with us all the data has to stay in Canada and you need to give them that guarantee so data residency is not a guarantee it just says where your data is right and compliance boundaries are those U controls that are in place to say okay this this is going to make sure that data stays where we want to be and data of sovereignty is just like the idea of the scope of the the legal the legal stuff that ties in with compliance boundaries so how do we do that on AWS well there's a few different ways but um let's just take a look at some ways that we can meet those compliance boundaries one uh which is very expensive but also very cool is adus outposts so this is a physical rack of servers that you can put in your data center and you'll know exactly where the data resides because you know it's physical if it's in your data center and you're in Canada that's where it's going to be okay uh and I believe that you know there is only a subset of adus services that are available here but you know that is one option to you another is using like um services for governance so like one could be adus config this is a policy as a code service so you can create rules to continuously check adus resource configuration so if they deviate from your expectations you're alerted Oris config can in some cases Auto remediate so if you were expecting you know um you know you had an account and you're saying this account is only to be used for candid resources and somebody launches let's say something in another region then you could get an alert or tell it was config to go delete that resource okay now if you want to prevent people from doing it uh Al together that's where IM am policies come into play so these can be written explicitly to deny access to specific adus regions and you know this is great if you're applying it to users or roles but if you wanted to have it organizational wide across all of your um your a accounts you can use something called a service control policy that is just an IM am policy that is used within it organizations that makes it organizational wide [Music] okay hey this is Andrew Brown from exam Pro and we are looking at 8s for government so to answer that we first have to understand what is public sector so public sector includes public goods and government services such as military law enforcement infrastructure public transit public education Healthcare and the government itself so AOS can be utilized by the public sector or organizations developing Cloud workloads for the public sector and a achiev this by meeting Regulatory Compliance programs along with specific governance and security controls so this could be meeting the requirements with HIPPA fedramp um cjis and fips okay so abis has a special regions or special regions for us regulation called gov Cloud which we'll talk about next okay [Music] hey this is Andrew Brown from exam Pro and we are taking a look at govcloud and to understand what govcloud is we need to know what fedramp is so fedramp stands for federal risk and authorization Management program it's a US government-wide program that provides a standardized approach to security assessment authorization continuous monitoring for cloud products and services so now that we know what fed ramp is what is gocloud well uh and again it's not particular to AWS because Azure has gocloud as well but a cloud service provider like ad or Azure J will offer an isolated region to run fed ramp workloads and so in ads it's called govcloud and these are specialized regions that allow customers to host sensitive controlled unclassified information and other types of regulated workloads so govcloud regions are only operated by you uh by US citizens on us soil they are only accessible to us entries and root account holders who pass a screening process customers can architect secure Cloud solutions that comply with fed ramp uh do the doj's uh criminal justice Information Systems uh security policy the US International traffic and arms regulation uh uh export Administration regulations the Department of Defense cloud computing security requirements and guides so if you want to work with the US government you want to uh engineer and use govcloud [Music] okay hey this is Andrew from exam Pro and we're taking a look at uh running adus in China so adus China is the adus cloud offering in mainland China adus China is completely isolate intentionally from adus Global to meet Regulatory Compliance for mainland China so that means that if you make a workload on the adus global uh you can't uh interact with it within the ads China One okay it's basically treated like a a completely separate service like ads has its own Chinese version uh and so ad China is on its own domain at Amazon ads. CN and for everybody else that's what's considered AB Global so when I'm using adabs from Canada or use it from the US or from India or from Europe or wherever that is the adus global okay so in order to operate in adus China regions you need to have a Chinese business license so ICP license not all services are available in China so uh you will not have the use of Route 53 uh and you might say well why not just run in Singapore ored was Global and you could do that but the advantage of running in mainland China means that you would not have to Traverse the great firewall okay so all your traffic is already within China so you don't have to uh deal with that Abus has two regions in mainland China so uh there's this one here which is the northwest region operated by NS WCF and then you have the one in Beijing North one operated by uh sinnet so you know itus just could not meet the the compliance requirement so they had to partner with local providers or data centers and so that is how that works [Music] okay all right so I want to show you how you get over to the um Chinese adus Management console so this one is adab. amazon.com that is the global one for everyone outside of mainland China but if you want to run resources uh on data centers within mainland China this is at amazon.cn and so it looks very similar if you go to create a free account you're going to fill in this stuff but uh notice that you need to have your business registration certificate uh and additional information in order to run these data centers down below that AWS has partnered with also notice that the logo doesn't say AWS in it and there's a good reason for that if I type in adus trademark China uh adus is actually banned from using the adus logo in China uh for whatever reason it's a weird reason if you ever want to read about it but that's why you don't see AWS here all right um so yeah there you [Music] go hey this is Andrew Brown from exam Pro and we are looking at sustainability for adus Global infrastructure and before we talk about that let's talk about the climate pledge so Amazon co-founded the climate pledge to achieve Net Zero carbon emissions by 2040 across all of Amazon's businesses which includes AWS if youall want to find out more information go to to sustainability. amazon.com there's a a lot of great information there and you'll learn exactly how uh ads is achieving this in particular like their data centers it's very interesting okay so adus Cloud sustainab goals are composed of three parts the first is renewable energy so adus is working towards having their adus Global infrastructure powered by 100% renewable energy by 2025 and AAS purchases and retires environmental attributes to cover the nonrenewable energy for AIS Global infrastructure so they would purchase things like renewable energy credits also known as Rec's guarantees of origin so Go's the second Point here is cloud efficiency so adus infrastructure is 3.6 times more energy efficient than the medium of us Enterprises data centers surveyed so that's going to really rely on that survey surveys are not always that great so you know take that with a grain of salt okay then we have water uh stewardship so uh direct evaporative technology to cool our data centers use of non portable uh water for cooling purposes so they're recycling water on-site water treatment allows us to remove us them to remove scale forming minerals and reuse Waters uh for more Cycles water efficiency metrics to determine and monitor optimal water use for each aabus region and you'll find that water plays a large part on uh making these um uh these data centers very efficient [Music] okay so I just wanted to show you where you get to that sustainability information so I just went to itus Global infrastructure you click sustainability and that's going to bring us over to whoops I have my Twitter open there to the sustainability in the cloud so if you want to uh read a bunch of stuff here about things that are going on that itus is up to see uh how they are progressing with renewable energy um there's Cloud efficiency up here so you know how are they being efficient it's worth the read to really understand that there's a lot of water involved like reducing water in data centers I thought that was really interesting um I mean they have theis podcast but I don't think there's really much to it a bi-weekly podcast of bite side stories about how Tech makes the world better that's not necessarily A sustainability podcast it's just the invis podcast in general there's a download Center um Amazon's 2020 sustainability reports so I guess you can download the reports to see what is going on there so we could download the progress here and see what they've been up to okay so there's a bunch of numbers things like that okay very short reports but hey at least you can download them okay so just in case you're uh very interested in sustainability all [Music] right hey this is Andrew Brown from exam Pro and we are taking a look at Abus ground station so this is a fully managed service that lets you control satellite Communications process data and scale your operations without having to worry about building or managing your own ground station infrastructure and so when we're talking about ground station a really good way to cement what the service is is just think of a big anten 10 ey dish that's pointing into the sky trying to communicate with satellites because that's essentially what the service is doing so the use cases here could be for weather forecasting surface Imaging communications video broadcasts and to use ground station the idea is that you would schedule a contact so that's where you're selecting a satellite a start and end time and the ground location and then you use an a ground station ec2 Ami and Amazon machine image to launch e two instances that will Uplink and downlink uh data during the contact or receive downlink data in an Amazon S3 bucket a use case could be something like you are a company you've reached an agreement with a satellite image provider to use their satellites to take photos for a specific region or time or whatever and so the idea is that you are using adus ground station to communicate uh to that company satellite and download that s uh that image data to your S3 bucket okay [Music] hey this is Andrew Brown and we are looking at Aus outposts and this is a fully managed service that offers the same aess infrastructure Services apis tools to virtually any data center cocation space or on premise facility for a truly consistent hybrid experience and just to kind of summarize it it's a rack of servers running adaba stuff on your physical location okay so before we jump into the service or technology itself uh let's talk about what is a rack server or just a rack so it's a frame designed to hold and organize it equipment so here's an example of a 42 U rack uh and there's the concept of rack heights so the U stands for rack units or U spaces uh with it equal to 1.75 in and the industry standard rack is a 48 U um so that is a 7 foot rack so a full size rack cage is commonly the 4 to High okay and uh in it you might have equipment that is of different sizes so there could be one u 2 U 3 U or 4 U high so here's an example of you know of an interior of a rack and notice that like one u 2 U 4 U they're all a little bit shaped differently uh but they give you kind of an idea of um you know what those are so it Outpost comes in three form factors the four2 U the one U and the 2 U so the the first one here the 42 U this is basic basically a full rack of servers provided by adus so you're not just getting the frame it actually comes with you know servers uh and so adus delivers it to your Preferred Physical site fully assembled and ready to be rolled into the final position it is installed by adus and the rack needs to be simply plugged in to the power and network and there's a lot of details about um the specs on this on the adus website so you know I'm not going to go through them all here um then there are servers that you can just Place into your existing racks so we have the oneu so this is suitable for 19 in wide 24 in deep cabinets it's using Idis uh Gravitron 2 um CPUs and you can have up to 64 uh virtual CPUs we have 128 gabt uh 4 terabytes of local NVM storage um and then you have the U or sorry the 2 U so suitable for 19in wide 36 in deep Intel processors up to 128 virtual CPUs 256 GB of memory 8 tab of local nvme storage so there you [Music] go let's take a look at Cloud architecture terminologies before we do let's talk about some of the roles that are around uh doing Cloud architecture so the first is Solutions architect this is a role in a technical organization that Architects a technical solution using multiple systems via researching documentation and experimentation and then you have the cloud architect this is a Solutions architect that is focused solely on architecting Technical Solutions using cloud services understand that in the uh actual Marketplace a lot of times Solutions architect is used to describe both a cloud architect and a Solutions architect and you know these are going to highly vary based on your locality and how companies want to use these terms but this is just me broadly defining them here so just don't take them as a perfect word in terms of what they're representing so a cloud architect needs to understand the following terms and factors uh and Factor them into their designed architect based on the business requirements so we have the idea of availability your ability to ensure service remains available scalability your ability to grow rapidly or unimpeded elasticity your ability to shrink and grow to meet the demand fault tolerance your ability to prevent a failure Disaster Recovery your ability to recover from a failure and there are a couple other things that uh that should be considered they're not terminologies but they're definitely important to a Solutions architect or Cloud architect and uh these are things you always need to consider uh as as well and this is just me talking to my Solutions architect friends where they'll always ask me these two questions after presentation they'll say how secure is the solution and how much is this going to cost all right and so for the terminologies up here we're going to Define these right away and we're going to figure these out throughout the course we have two giant sections just on cost and security alone uh so there we [Music] go the first term we're looking at is high availability and this is your ability for your service to remain available by ensuring there is no single point of failure and or you ensure a certain level of performance so the way we're going to do that on ews is you'd want to run your workload across multiple availability zones to ensure that if one or two availability zones became unavailable your servers or applications remain available because those other um those other servers are going to be there and the way we would accomplish that is via elastic load balancer so a load balancer allows you to evenly distribute traffic to multiple servers in one or more data center if a data center or server becomes unavailable or unhealthy the load bouncer will route the traffic to only the available data centers within the server and understand that just because you have additional servers doesn't mean that you are uh you're available you have to you might need to meet a particular threshold of availability so you might need to have at least two servers always running to meet the demand so it's based on the the demand of traffic [Music] okay let's take a look here at high scalability so this is your ability to increase your capacity based on the increasing demand of traffic memory and computing power and we have the terms vertical scaling so scaling up um this is where you upgrade to a bigger server and then there's horizontal scaling scaling out this is where you add more servers of the same size and the great thing about scaling out or adding additional servers is that you're also going to get um High availability so if you do need two servers it's always better to you know add an additional server as opposed to having a larger server but it's going to be very dependent on a lot of factors [Music] okay so scalability and elasticity seem very similar but there is a crucial difference and this is your ability to automatically increase or decrease Your Capacity based on the current demand of traffic memory and computing power again it's the it's the fact that it happens automatically and you can go both ways increase or decrease so for horizontal scaling we have the concept of scaling out so add more servers of the same size and then scaling in removing underutilized servers of the same size and vertical scaling is generally hard for traditional architectures so you'll usually only see horizontal scaling described with elasticity um and the way we would accomplish uh being highly elastic is using autoscaling groups asgs and this is aabus feature that will automatically add or remove servers based on scaling rules you define based on those metrics okay let's talk about being highly fault tolerant so this is your ability for your service to ensure there is no single point of failure preventing the chance of failure and the way we could do that is with fail overs so this is when you have a plan to shift traffic to a redundant system in case the primary system fails a very common example is having a copy or secondary uh uh uh of your database where all ongoing changes are synced the secondary system is not in use until a fail over occurs and it becomes the primary database so when we're talking about databases on ABS this is the concept of RDS multi-az so this is when you run a duplicate standby database in another availability Zone in the case your primary database [Music] fails and last here is high durability so this is your ability to recover from a disaster and to prevent the loss of data so solutions that recover a disaster uh from a disaster is known as disaster recovery so do you have a backup how fast can you restore the backup does your backup still work how do you ensure current live data is not corrupt and so maybe a solution ads would be using Cloud endurer which is a disaster recovery uh service which continuously replicates your machines in a lowcost staging area in your target AB account and preferred region enabling fast and reliable recovery in the case of an IT data center fails [Music] okay so to understand Disaster Recovery we need to know more about uh things around it like business continuity plans BCPS and RTO and rpos so uh a BCP is a document that outlines how a business will continue operating during an unplanned disruption in services so it's basically the plan that you're going to execute uh if that happens and so here we have a disaster and you can see that there's a chance of data loss and downtime and these two um uh factors as RPO and RTO are going to define the length of these durations so recovery Point objective is the maximum acceptable amount of data loss after an unplanned data loss incident Express this amount of time so how much data are you willing to lose and then recovery time objective so the maximum amount of downtime your business can tolerate without inuring a significant financial loss so how much time you're willing to go down okay so those are the two there and now let's go take a look at the disaster recovery options that we can use to define in our our BCP so now let's take a look at our disaster recovery options uh and based on what you choose they're going to be a trade of cost versus time to recover based on the rpos your RTO of course and so sometimes this is rep represented vertically like a a thermostat or you can do it horizontally here um both are valid ways of displaying this information but I just have it horizontally here today and so we have low or high or you could say um even though I don't have it written here this could be cold or this could be hot okay so um on the left hand side we got backup and restore pilot light warm standby multiactive sight notice we're using the like the words like pilot light warm things that are relating to temperature so again cold and hot all right so let's just walk through what each of these things conceptually do uh in terms of architecture so when you're doing a backup and restore you're back you basically back up your data and uh at the time of Disaster Recovery you're just going to restore it to New infrastructure uh for a pilot light the data is replicated to another region with the minimal Services running to keep on replicating that data and so you might have some core Services running a warm standby is a scale down copy of your infrastructure so you basically have everything that you would absolutely need to run an application but the idea is it's not at scale and so at any time when there's an incident you're going to scale up to the capacity that you need and then you have multi sight active active where you you have a scaled up copy of your infrastructure in another region so basically everything you have identically in another region and so in terms of the rpos and the RTO for back and restore you're looking at hours uh with the pilot light you're looking at 10 minutes with a warm standby you're looking at minutes and multi sight uh active active you're looking at uh real time so you know hopefully that gives you an idea of you know the difference in terms of scale but let's just look at more detail so for a backup and restore this is for low priority use cases restore data after event deploy resources after an event and it's very cost effective uh for light this is where you have less stringent RTO and rpos so you're going to be just running your core Services uh you're going to start and scale resources after the event and this is a little bit more expensive this is uh very good for warm standby is good for business critical services so you scale resources after the event uh and it's uh almost very it's very it's costly but it's not as expensive as a multi-site active active so you get zero downtime near zero loss uh you have it's great for mission critical services and it's just as expensive as your original infrastructure so you're basically doubling the cost there [Music] okay so we already defined RTO but let's redefine it again based on what adus describes in their white paper and just look at how it Maps against um the disaster recovery option so re recovery time objective is the maximum acceptable delay between the interruption of service and restoration of service this objective determines the what is considered an acceptable time window when service is unavailable and is defined by the organization and so this is the diagram found in the white paper and so on the left hand side we have cost and complexity here and then lengths of serice interruption and what you can see here is that the cost and complexity for a multi-site active active is very high but the length of service Interruption is zero and then as we go down we have warm standby so it's significantly like at least half uh the complexity of that one then we have our pilot light down here and backup and restore but notice backup restore takes the longest amount of time and notice here we have a recovery time objective so in your BCP you kind of Define where that is based on the cost of business impact so you might have to calculate that saying okay what is our cost over time based on the length of service Interruption where do we want our RTO to be what is the acceptable recovery cost and this is where you're going to decide what you want to do so here we have pilot light and backup and restore and so this company you has to decide whether they want to do a pilot light or they're going to do a backup restore but it sounds like this is where they're going to be which is at the pilot uh light for what is acceptable in their business use case [Music] okay let's do the same for RPO so recovery Point objective is the maximum acceptable amount of time since the last data recovery point the objective determines what is considered an acceptable loss of data between the last recovery point and the interruption of service and it's defined by the organization again we pulled this from the a white paper for disaster recovery and uh we have cost and complexity but this time it's replaced with data loss before service Interruption so uh for multisite again it's going to be very expensive and high up here as you noticed it's not like a perfect um uh curve it's just it's a bit different in terms of what it looks like so here we have warm St standby pilot light um and so you'll see that the data loss is um not a big deal but for back up from store it really juts out there so you can see that you can get pretty good results just with the pilot light and the cost and complexity is very low again we have to look at our cost and business impact so we got to follow that line and we need to see where our acceptable uh recovery cost is and so uh you're going to notice that uh we have a bit of an intersection here okay and so we need to determine you know like are we going to be doing a warm standby looks like we have the cost to do it um uh but you know it just really depends you know do we want to be down here or down there okay so hopefully that helps and visualize that information for [Music] you hey this is Andrew Brown from exam Pro and what I want to show you here is a real world architectural diagram I created this a while ago this is a previous version of the um exam Pro or technically teacher seat platform uh that powers The Learning Experience uh for by class certifications and so I'm hoping that by giving you some exposure you'll absorb some information here uh and that will carry through to really help you cement what these services do and how they work together now you might be asking how did I make this well I'm in Adobe XD it's by Photoshop or sorry Adobe it's free to download but there's a lot of options out there and but the first thing you'll need is those Aus architectural icons so these are free on AWS you can download them in PowerPoint download them as asset as svgs and pgs which is what I have done and start using them in your um uh whatever software you like there's also third party providers out there so like there's Lucid charts I love lucid the charts but I don't use it to make architectural diagrams uh for AWS um but you know you can drag drop and stuff and they already have the library there and there's a bunch of them that you can choose from so uh you know that's interesting but let's take a look at one that we can download maybe everyone's familiar with PowerPoint so here is the adus architectural icons and the reason I'm showing you this is not because it just contains icons but it also suggests how you should build them so if I go through here they'll give you a definition of those system elements uh how they would look like here so we have our group icons or layer group our service icons resource icons where they should go uh and then they have some interesting guidelines of like dos and don'ts so here's like a simple example of a get to an S3 bucket um here's an example of using VPC subnets and things like that on the inside um and then you can see kind of like all the groups that we have and it show all like the uh the um arrows it's a big faux PA to make U diagonal arrows that's just something it us Define but you'll see a lot of people do them anyway and then you'll see all the icons so do you have to make them like ad suggests no but you know if you like the way they look that is fine everyone just does whatever they want honestly so anyway now that we've seen you know how we can go get the resources to make our own I have Adobe XD open up here and so I just kind of want to walk you through what's going on here so again I said this is a a traditional um architecture meaning that it's powered by virtual machines and so what we need to look for uh is ec2 because that's where it's going to start that's our virtual machine and you'll notice we have one here so there's a T2 um uh that's running over here and then over here we have a T2 okay so uh we have a blue and a green environment so this is our running environment so I'm just going to zoom on in here okay so the web app would be running on this and um and then on the outside here we have an autoscaling group and so autoscaling groups allow us to um manage a group of vc2 instances and they will automatically scale if the demand increases or or or declin so if this machine can't handle it it will just automatically provision a new one and so I've contained it in this environment here because I'm representing a blue green deploy meaning that when I deploy this will get this will be the environment that replaces things and so you can see I have a lot of lines being drawn around here so um over here we have uh um parameter store so parameter store is a place where we can store our environment variable um or application configuration variables and so I have this line going here and it's just saying we're going to take these environment variables and put them into the application okay uh and then there's also uh the database credential so here we are using postgress over here so and then we need the database credentials so we're grabbing those database credentials those are stored in Secrets manager and we're giving to the application so the app knows how to connect to the database and this one knows how to uh configure it okay then we have um a bunch of uh buckets here for different organizations and so you know S3 is for storage so this is a way we're going to um store a variety of things so like user data assets artifacts Cloud information templates so some of this is for the app some of them is for the infrastructure so that's one thing there okay then over here we have u a cicd pipeline so we have code Pipeline and so code pipeline is triggered by GitHub so we put our code in GitHub and when that happens it's going to do a code build so that's going to build out a server um and then from there it's going to run another code build server and then from there it's going to then um uh uh use code deploy and so code deploy is going to trigger a deploy what it will do is create a new environment so it's going to create a copy of this um sorry it's going to create a cop this is actually the environment that's running so we'll copy that and that will be our new environment right okay and so when the deploy is done it will swap and then that environment will become this new one um and so you know again this is actually really the the running server it's just kind of easy to get hung up on this one but the idea here is that um you know that's how deployment works but let's say uh you know we want to get uh traffic to this actual instance this is going to come through the internet and the internet's going to probably go to refy 3 so ref 3 is used for domain names so this be like exam pro. c teacher seat.com we pass that over to our elastic load balcer which in this case is an application load balcer that's why it's called ALB and that's going to distribute the traffic there if we wanted to run the server in another um in another availability zone so that we make it highly available um you know ALB the elastic load balancer application load balancer is going to uh have some traffic go here and some traffic go there so this is just uh the blue environment or whichever the current environment is over here now when we want to deploy new version we're going to use launch templates and launch templates um uh are necessary when using Autos scaling groups so um you know you do have to Define launch template it just says like what is the shape of this instance type like what's its family what should it be and then we need an Amazon machine image so our Amazon machine image is custom built because we are installing all the stuff that we want on it and so in order to automate that process we are using um SSM automation documents so SSM stands for system manager and automation allows you to automate that step so what it's going to do is launch an instance install Ruby install postgress download the codebase then it's going to create that Ami and then um it will do a bunch of other stuff here as well and this is going to run weekly or actually at the time uh it was running nightly so we're doing nightly builds so that we would always get the latest um updates to our server um because it's a virtual machine there could always be uh new updates for that Linux version or Amazon machine Li Linux version we using and then there's a bunch of other stuff here so you know um hopefully that kind of gives you an idea like the complexity of it and you know this is how I like to make my architectural diagrams very in detailed so that we can um look at them but yeah if that was too much that's fine but you know that's just the complexity of it if you build your own you'll start to really grasp this stuff pretty well [Music] okay so what I want to do is just show you how high availability is built into some ad Services where in other cases say you have to explicitly choose that you want something to be highly available uh so what I'm going to do is make my way over to S3 and so with S3 this is where you can create S3 buckets and this allows you uh to store things and so the great thing about S3 is that it's basically serverless storage so the idea is that you're just going to choose your region and by default it's going to replicate your data across multiple um uh data centers or azs and so this one's already highly available by default with the standard tier and so that is something that's really nice but other services uh you know like ec2 the idea is that you are going to launch yourself an ec2 instance so we' launch that one and the problem with this is that if you launch a single ec2 that is not highly available because it's a single server running in a single um a so here you know we would choose our subnet our subnet is our availability Zone but you'd have to launch at least two additional servers and then you'd have to Route um uh you'd have to have something that would balance uh the traffic to the to the three which is a load balancer and so in this case you have to construct your high availability then you have services like elastic beanock this is a platform as a service um and we'll go to environments here I'm not sure I wasn't showing up there um and so the idea is that with elastic beant stock I'm just going to click on the main service here you're going to go ahead and uh create your application or create your environment you probably want to create an environment first here okay and so I would choose a web server and then the idea is I just name it so my application here my uh environment and then down below you go configure more options whoops it wants me to choose everything that's totally fine and we say configure more options we're not going to create it because um we don't want to create one but the idea is that uh you you could choose whether you want this to be high highly available or not so see it says single instance so free tier uh and then if you chose this what it's going to do it set up a bunch of stuff for you so it's going to set up an application load balancer for you it's going to set up Auto scaling groups for you to make it highly available it's going to run at least uh between one to four instances so this does everything that uh ec2 you'd have to do manually setting up so that's really nice okay so you know some options have that if we make it our way over to RDS and again we're not creating anything we're just looking at the options it gives us when we uh start things these up here we'll make our way over to RDS when it gives us a moment here and if we go ahead and create ourselves a new database and we look at something like a postgress database notice that we have a production option and a Dev test option and so I mean usually it shows us the price down here so even test Dev is $118 which is not true can make it cheaper than that but the idea is that when you choose between these two options um it's going to set up uh multi-az it's going to that means that it's going to run an additional um uh database and another availability Zone replicate that data over so that it stays highly available um you know it's going to have autoscaling uh uh part of it and so some Services you just choose it abstractly so you just have to understand what highly availability is going to mean underneath so hopefully that kind of gives you a picture of high availability on AWS [Music] hey this is Andrew Brown from exam Pro and we are looking at adus application programming interface also known as adus API so before we talk about uh the API let's describe what application programming interface is so an API is software that allows two applications or services to talk to each other and the most common type of API is via HTTP requests and so the ads API is actually an htttp API and you can interact with it by sending HPS requests using an application interacting with apis like Postman and so here's kind of an example of what a request would be that would be sent out and so the way it works is that each Ada service generally has a service endpoint so see where it says monitoring that's going to be cloudwatch so sometimes they're named after the services sometimes the name is a bit obscure and of course you can't just call uh call Api request without authenticating or authorizing and so you have to sign your request and so that's a process of making a separate request uh with your adus credentials to get back a a temporary token in order to authorize that and I don't have room to show it but the thing is is that what you'd be uh also going along with those requests would be to provide an action so when you look at um the adus API it will show you a bunch of actions that you can call they're basically the same ones you'll see in the IM policies so it could be like describe ec2 instances Or List buckets um and they can also be accompanied with parameters okay so you know we're probably not going to show you how to uh make an API request directly because that's not something that you would generally do um but what you would do is you'd probably use the abis Management console which is powered by the API use the adus SDK which is powered by the API or using the adus CLI so we'll cover all those three [Music] okay all right so what I want to do is just point you to where you'd find the resources to use the API programmatically uh we're not going to actually use the API because there's a lot more to it uh than what I'm going to show you here but at least you'll be familiar with how the API works so I'm on the aws.amazon.com website if you type in docs the type top there it's going to bring you to the main documentation and what we're looking for if we scroll on down there should be a general reference area where we have service endpoints if we click into here it's going to uh talk about um how a service endpoint is structured and if we go down to abis API we can see some additional information of course to use um the API you're going to have to sign API requests first which is not a super simple process but you have to use an authorization header um and send along uh some credentials and things like that so if you want to know what service endpoints uh are available to you if you search service endpoints list for AWS this is the big list and so if I was to go down here and look for C2 U might be a common example here it's going to tell us what the end points are and as you can see they are Regional based but the idea here is that I could take something like this okay I could grab that and using something like Postman I could go and create a new request and it's probably a post I'm not sure what it's supposed to be it's probably a post and then you'd set your authorization header there might even be one in here for adab us see where it says adab us signature so you can go here and put your access key and secret with in here um so that's something nice about Postman so it's going to do the signing requests for you so it makes your life a lot easier and then from there what you do is you go to your body and you'd want to enter in Json so to do Json would probably be raw you drop down the format Json and then you'd send your payload whatever it is so I again I haven't done this in a while because it's not a very common uh thing that I have to do like describe ec2 instances but there probably is like an action and some additional information that you'd send along um so you know hopefully that gives you kind of an idea how the API works but you know you should never Pro uh in practice ever have to really work with the API this way directly [Music] okay hey this is Andrew Brown from exam Pro and we are looking at the itus Management console so the itus Management console is a web-based unified console to build manage and monitor everything from simple web apps to complex Cloud deployments so when you create your adus account and you log in that is what you're using the adus Management console and I would not be surprised uh if you're watching this video and they've already changed um the default page here since abos loves to change the UI on us all the time uh but uh the way you would access this is via console. ab. amazon.com when you click sign in or go to the console that's the link that it's going to uh and so the idea here is that you can point and click to manually launch and configure adus Resources with limited programming knowledge this is known as click Ops since you can perform all your system operations via clicks [Music] okay let's talk about the adus Management console in brief here so you know of course when you're on the homepage you go to ads Management console and you will end up logging in and from there we will uh make our way over to the ads Management console when I say ads Management console I'm referring to uh this homepage but I'm also referring to anything that I'm doing in this web UI whether it's a subservice or not so you know a lot of times people just call this the dashboard uh or the homepage um but you know it is technically the adus Management console but everything is the adabs Management console you can drop down Services here if there's some that you like you can favorite them on the left hand side I don't find that particularly useful you can see the most recent ones here they'll also Show recently up here as well we have the search at the top notice that there's a hotkey for alt S I don't think I ever use it but if I was to type in a service like ec2 it's going to get me the services and then down below it's the sub features of it so if I just click into that there into this this is the main this is a service console so I would call this the ec2 console or the ec2 service console so if you ever hear me saying go to the ec2 console that's what I'm saying and you'll notice here like there is stuff on the left hand side so I come back here ec2 image Builder ec2 Global views these are considered services but if you drop down it says top features or you go down here it says dashboard limits Amis you go over here um the ec2 dash board limits Amis are here and limits are somewhere here right there so okay so those kind of map over pretty well plls and documentation knowledge based articles Marketplace I don't think I've ever touched those in my life uh this here is the cloud shell so if you click it it will launch a cloud shell will cover that when we get to that section here we have this little bell it tells us about open issues I think this is for the personal health dashboard yeah it says PhD in the bottom left corner or left corner so if I open that up it'll bring up the PHD the personal Health dashboard all right uh our region selector our support so nothing super exciting here but just kind of giving you a bit of a tour so that you know there are some things you can do um can you change the look of this I don't think right now as of yet um there is any way I'm sure Aus is thinking about it because it's been a high uh request that's in demand but uh this is what it looks like as of today okay all right so I just want to describe what a service console is so an an service each have their own customized console and you can access these consoles by searching the service name so you would go ahead and type in ec2 and then what we refer to this screen as as the ec2 console the reason I'm telling you this is that when you're going through a lot of labs or follow alongs you'll hear the instructor say go to the ec2 console go to the stagemaker console go to the RDS console what they're telling you is to go type the the name of the service and go to um that particular Services console okay uh some adus service consoles will act as an umbrella console containing many adus services so uh you know VPC console ec2 console systems manager console Sage maker console uh cloudwatch console these all contain multiple services so you know for um for ec2 you might say okay well I need a security group there's no security group console it's under the ec2 console okay uh so just be aware of that [Music] so now I want to show you some of the service consoles to kind of distinguish how they might vary per per service okay so if we were to look up ec2 um and we just did look at this but the interesting thing is that some uh consoles the ec2 console uh is the home for other databus services and you just have to learn this over time to know that so for instance elastic Block store is its own service but it's tightly uh linked to ec2 instances so that's why they always have have it here same thing with Amis uh security groups same thing with that so these are interesting because these are basically part of virtual networking and so you'd think they'd be under the VPC console but they are actually under here with ec2 and so load balancing autoc scan groups tightly coupled to um uh to ec2 if we make our way over to VPC um you know here it's going to contain all the new stuff does it have a new experience no I guess this is the newest one it looks a bit old and a little bit new here but you know we have a lot of different things here like firewalls vpns Transit gateways traffic mirroring we make our way over to cloudwatch okay and cloudwatch has uh very uh focused Services they're all actually named and this is more like a s feels more like a single service where you have these very focused um Services where you have alarms logs metrics events insights right but you're going to notice that like the UI highly VAR so we had looked at cloudwatch and then we had looked at U VPC and it looks like this and then we looked at ec2 and it looked like that and so there is inconsistencies because each um Service uh Team like that work on per service or whatever they have full control over their UI and so some of them are in um uh different states of updating so some people might have updated the left-and column but this part is old or you might click around like under something else like ec2 dashboard um or maybe a better example might be Amis I remember we're in here and something looked old here yeah see these are the old buttons and that's just how it is so everything is very uh modular and so they get updated over time so that is the challenge that you're dealing with you're always having like three different versions that are cobbled together in each uh um UI one thing that I found really interesting is that um VPC has its own console Management console but if you were to look up this in the uh the SDK so if I was to look up um AB SDK ec2 okay I'm just looking up Ruby here as an example because that's what I know how to do um if you look under here let's say you want to pragmatically work with vpcs you think that it would have its own top level VPC because it has in the console its own uh its own Management console but actually VPC is tightly coupled ec2 and so when you want to programmatically use VPC you're going to be um using actually ec2 uh as as was built so the the the what I'm trying to get is the apis don't onetoone match with this kind of stuff and so it's just kind of interesting that there's those kind of uh differences uh but again it's not that big of a deal I'm just trying to say like you know keep your mind open when you're look at the stuff [Music] okay so every ad ofus account has a unique account ID and the account ID can be easily found by dropping down the current user in the global navigation so what I'm going to do is pull my pen tool here and just show you it's right there the ab account ID is composed of 12 digits and so it could look like this or this or this account ID is used when logging in uh with a nonroot user account uh but generally a lot of people like to set their own Alias because it's tiring to remember your account uh ID the uh you use it when you're creating cross account rol so you'd have the target account the source account ID to gain access to resources in another a account when you're uh dealing with a support es a will commonly ask you what your account ID is so they can identify the account that they want to look at and it is generally good to keep your account ID private as it is one of the many components used to identify an account for an attack by malicious actor uh so you don't have to be overly sensitive with it but you know try to hide it when you can when it's easy [Music] okay all right so let's talk about the account ID which appears up here in the top right corner uh where you can get the account ID it also appears in IM am so if we go over to IM am and you look on the right hand side it should show you the example here it keeps on trying to take us to the old dashboard that's fine um but you'll notice that it's over here and I don't have MFA turned on because I'm in my IM user account but it should be turned on on everything that's given but uh you know I just want to show you where it is and also where you might be using it so one example where you would use you would need to know your account ID would be something like creating a cross account policy so I went here and went to policy and went create policy um and we went to maybe it's a roll I think we actually sorry we want a cross account account rle it's not the policy sorry we go here and we say I want to access something in another A's account what we have to do is specify the account ID specify the accounts that can use this role so you give I think the the ID of the other account okay okay and so that is one place where You' use it another place would be when you're creating policies so if I go back to policies here I can create a policy here and I can just choose something like S3 okay and I'll just choose a list and under the request conditions I might specify I think the account ID it should be in here um I know I can limit based on account ID principal account so you can do principal account so if I just looked up this here ABS principal account and you just got to get used to Googling things that's always what's happening here and so we should be able to specify an account ID yeah like that so that would be the principle there so if I just took that and doesn't matter what it is we just put the value in here uh um string equals this add I should be able to go over here and now see the full statement no sometimes that happens because we don't have it fully filled out but um yeah so that pretty much that's pretty much how we use it like it would normally show up as that so if I just go ahead and go next the policy contains an error you are required to choose a resource what do you mean the resource is this right oh down here okay sorry uh so we'll just say all resources then we split over now it's valid and so here we can see our condition saying only from this account ID that it is allowed um other places we're going to see account IDs are in um ARS right so if we had an ec2 instance we don't have one launched right now but if I was to go ahead and oh maybe we have some prior ones yeah so if I was to checkbox this here and you might not have any prior ones so there might not be nothing for you to see but if you look for the arm AR where is our AR sometimes it doesn't show the Arn in the services sometimes it does I wish that AB always showed the AR to make our lives a bit easier but it could be because of other reasons why but even though we don't have the AR I think it shows us shows us the owner ID and so that's the account uh the account ID number you can tell because it's 12 digits so hopefully that gives you kind of a tour of the account ID and what its purpose is in the out [Music] okay all right let's take a look at it tools for Powershell so what is Powershell Powershell is a task Automation and configuration management framework is a command like shell and a scripting language so here it is over here uh if you are a Windows user you're used to seeing this because it has a big blue window so unlike most shells which accept and return text Powershell is built on top of the net common language runtime CLR accepts and returns the net objects so uh adus has a thing called the itus tools for Powershell and this lets you interact with the itus API via Powershell commandlets commandlets is a special type of command in Powershell in the form of the capitalized verb and noun so in this case it'd be new hyphen S3 bucket so you know we looked at the a CLI and that is generally for bash um uh you know shells and so power shell is just another type of shell that's very popular and I just wanted to highlight it for those people that are uh you know used to using Microsoft workloads or Azure workloads uh that this actually exists [Music] okay all right let's take a look at the Powershell tools um I actually haven't used this one yet so I'm kind of curious I am out a Windows machine so if I was to um open CM or Powershell and you probably can't see this but if I just bring this over here if I type in Powershell on my computer you'll notice that I have it um so that's how You' launch it looks like a blue screen here okay um if you're on a Mac you're not going to have that but that's totally fine we don't need to have a Windows machine to use Powershell because we can go ahead and use cloud shell so make sure you're in a region that supports Cloud shell so I switch back to North Virginia uh this is not important for the exam but it's just kind of fun for me to go through this with you and if you just like want to watch uh here and so I want to change this over to power shell so I imagine that it must be over here um so how do we change change to poers Shell so we'll type in ads power or ads Cloud shell Powers shell like how do we do it okay and so I'm just going to scroll down here so the following shells are pre-installed uh The Bash the power shell the Z shell you can identify them by that yeah of course to switch to New Shell enter the Shell's program name in the command line prompt oh wow that's easy so um if we want pwsh do we just just type pwsh let's find out give it a moment to think oh there we go okay so now we're using Powershell and so I would think that ads would give this pre-installed for us so if we go over here to the instructions and we scroll on down there's probably like oh wait like I don't use Powershell a lot it's very easy to install modules um I've done it before but I never remember how to do it but let's just see what we can find here so I want the documentation for Powershell here and I'm going to go to the um the maybe the reference here because I just want to see some examples for the commandlets and so we'll look for S3 again never done this before but I'm always great at jumping uh into these things and all I want to do is just list out the buckets so I'm going to just search for the word list um and just see if I can find something very simple here and calls to get the list buckets API operation so I think that is what we're going to to be doing here so I'm going to click into that okay and then from there what I'm going to do is just see if I can copy this command so we will go ahead and copy this and paste it in here and I like how we got this little shell here so we can tweak it so we need the bucket name but I don't want to return a list of all the buckets owned by the author so we don't have a bucket name that we want to explicitly set here so it's required false so we can remove that okay we'll look at the next one select required fals use the select command to control the command L output the default is bucket specifying selectable result in returning all the whole buckets for that specifying the name uh but it says it's not required so let's just take that out as well I don't think we need any of these actually let's just go and put that in there and I think that there must be something we need to put in front of that right let's just see what happens uh the term is not recognized as the name of the commandlet function script is operable so I think we're missing something in front of here we'll go to the user guide here quickly and we'll get to the getting started I just want a super simple example here new bucket get bucket well let's try this one here because they have it here and so it should work right I'm change this to us East one the term new bucket is not recognized as the name of the commandlet function so I'm guessing that the commandlet is not installed I would have thought that they would have installed it by default so I guess what we'll do is look at how to install it so installing on Linux I suppose so you can install the modulized version of the Powershell on computers to install adus tools on Linux pwsh to start Powershell core session so I guess that's how you must start it on Linux and then install the module this way so yeah I said it's easy to install these things we'll hit enter cross your fingers hope this works hope this is fast I'm just going to take a look here peek forward here if you are not uh if you're notified the repository is UN trusted you're asked if you want to trust anyway just hit Y so we're waiting for that here um you're installing this module from untrusted repository it's funny that it's untrusted by but it's by AWS maybe that's some kind of drama between Microsoft not letting AWS have an official module there but it looks like it should be installed now so if I type in get S3 bucket here um unless I typed it wrong that still doesn't seem to be working if I go up here and try to create a new bucket still does not recom recognize the command command lit here so there must be more going on here um if you are notified you can now install the module for each service okay well what did we do you're installing the the the modules from unrusted if you trust it change the uh change it installation policy value by running set policy command are you sure you want to install this module from the PS Gallery so I said yes and I gave it a capital Y and it didn't do anything else so oh hold on here so this is the installer and then here is the actual tool that we want to install so it install to oh so we just installed this thing and now we use this thing to install S3 okay great not hard okay and so we'll just say yes to all and so that's going to install I guess everything oh we said ec2 and S3 three well we didn't need both but that's fine and so what I'm going to do is go get bucket and so now recognize it it lists out the items here we can go and create ourselves a new bucket so we'll do that okay we'll make our way back over the databas Management console we'll go to S3 just because I don't need all these buckets lying around here and I'm going to go ahead and delete some of these buckets here so we'll say delete my bucket great and we'll go to this one here and say delete my bucket excellent all right and so we have an idea how to use Powershell so Powershell is just really popular because of it's the way you do inputs it's very standardized and the outputs that come so it's very popular um and a very powerful scripting tool that's or CLI tool as well so uh you know hopefully that's that was interesting for you but what we'll do is just close these off here and go back to our our homepage always just clicking that logo there and there we go [Music] so Amazon resource names uniquely identify itus resources and orangs are required to specify resource and Ambiguously across all a of all of AWS so the AR has the following format variations so there's a few different things here but just notice here that sometimes it has a resource ID or it has a path so with a resource type or could be separated by a colon so the partition um could either be ads China or gov Cloud because this is basically the ads uh portal or URL that are completely separated from each other uh as we talked about those earlier in the course uh then there's the service identifier so ec2 S3 IM am pretty much every service has their own uh service that uh name here that would be identified then the region would be pretty obvious Us East one CA Central 1 you'd have a account ID which would be 12 digits uh the resource ID uh could be a name or a pass so like for um IM IM users we have user Bob the this is an E2 instance and most of the IRS are accessible via the Aus Management console and you can usually click the Arn to copy to your clipboard so here is it is for um an S3 bucket and notice that it's a little bit different because it is a global Service AWS there's no reason to specify the region or the account ID or uh anything else there like the resource type so straight away we already know it's a bucket so we can just say my bucket so that one's really short but in other cases it's really long so here it is for a load balcer and it has all the information there and notice that like this has a pass load balcer app my server will be and then it has the ID okay for paths and IRS they can also include uh a wild card Aster and we'll see these like with IM policies or or paths these are really useful when you are doing um uh policies where you have to specify n you want to say a group of things and things like that so there you [Music] go all right so now let's take a look at Amazon resource name or also known as AR um and so ARS are used to reference objects they're very commonly used when you're using the CLI or the SDK to reference to something um the easiest example is S3 right so we go over to S3 here and we create ourselves a new bucket um so I'll go ahead and create ourselves a new one here we say my new bucket I'm just going to put a bunch of numbers in here doesn't matter we'll hit create bucket and what we will see if we click into this is the AR should be under properties and there it is okay so there are many cases where you might want to use the AR and a lot of times you'll just copy it and uh a very common example would be again with I am policies so we go over to I am policies right and I want to get to policies here just save myself some trouble and we create a policy you know I might want to restrict someone to use only that bucket so I say S3 okay and then I'm going to say um I want to be able to read and write from a particular bucket we go drop down these resources here and so here we have a lot of options um maybe I'll just get rid of the read option and I'm going to actually expand right because it's just creating too much work for me here and I just want to have um put put object that's that's the what we use to put something into a bucket so we expand the resource here and notice this says add the irn so we go here and we could type the bucket name so do that or we just paste it on in here at the top so it's probably easier just to grab it sometimes but if you don't know an AR a lot of times you can just expand this and then fill it in and that's how you get an Arn so put that there let's list oh you can also do it that way which is easier too and so now if I go to Json is it valid there we go so here it's saying um this policy allows somebody to put an object into this particular bucket and so that would be an example where we would use um an AR okay or if you're doing uh if you're using uh ad support you might have to use an AR to um to get help from support saying hey look at this particular resource exactly here and then the the cloud support engineer can help you [Music] okay hey this is Andrew Brown from exam Pro and we are looking at the itus command light interface but before we do that we got to Define some terms so what is a CLI so a command line interface processes commands to a computer program in the form of lines of text operating system Implement a command line interface in a shell okay so then we have a terminal so a terminal is a text only interface so it has input output environment then you have a console this is the physical computer to physically input information into a terminal then you have the shell a shell is the command line program that users interact uh with uh to input commands popular shell programs are bash uh zsh Powershell and you might remember this one MS DOS prompt so this has been around for obviously a very long time so maybe this kind of primes your mind for what is a shell and just so you know people commonly erroneously use terminal shell or console to generally describe interacting with a shell so if we say shell or console or terminal we're just talking about the same thing but there is technically a difference between these three things but most people do not care and I wouldn't worry about it too much okay so now let's take a look at the itus command line interface which allows you to pratically interact with the itus API via entering single or multi line commands into a shell and then here I say or terminal but really it's just the shell okay so uh here is an example of one so we're trying to describe uh ec2 instances and then we're getting the output because we asked to have it back in this table like view so the ab is a python executable program so python is required to install the aw CLI the a CLI can be installed on Windows Mac Linux Unix the name of the ca program is AWS you'll notice that up here in the top left corner there's a lot more to this but this is all we need for now [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the abis CLI and the easiest way to get started with this is actually via the cloud shell so you'll notice this little icon here in the top right corner that is cloud shell and it's going to allow us to um uh programmatically do things without having to set up our own environments so if I just click that there okay uh and I say do not show again close and by the way if you don't see Cloud shell here it could be your region so like if I go to Canada Central it doesn't have it there and so if I was to search Cloud shell here okay it's going to say it's only supported in those regions so that's a bit annoying but once Cloud shell loads it already has our uh credentials loaded within our account and so this is going to save us a lot of time in terms of uh you know trying to get set up with the exception that you have to wait for this environment to create so it takes a little bit of time time but it's not that bad um and while that is waiting what I'll do is show you actually how you install the CLI yourself so if we typed in Abus CLI install all right and uh we went here the way you would install I believe it's a python library but if we went to version two and we just said Linux uh you go down here they have instructions so you just curl it unzip it and do that um so you know if it's this and then once it's installed you'll have the of the CLI commands this is still go so you know maybe I can show you what it would be like to install the CLI by hand so if we wanted to do that one easy way to do this is if we just go to GitHub doesn't matter what repository I'm just looking for anything here and if I open up git pod so if we go on the top here and type in git pod uh. maybe that I just want to see whoops maybe just get pods that oh get pod you're not giving me oh you know what it's doio that's why okay so if we go back here sorry and we type in doio what this will do is launch me a temporary environment and so this is outside of AWS so I'd actually have to install the CLI so this would be a great opportunity to show you how to install the CLI I'm just doing it this way because git pod is free to use and um you know it's going to set up an environment and how let us simulate installing the CLI so here is the CLI here I'm going to see if I can bump up the font um let's make the font as large as we can go light or dark dark sounds good to me and so if we type in AWS I give it a moment we can see that we have uh the command here so if I say ABS S3 LS whoops it should be able to list things out in a bucket so this is what's currently in the bucket if you're wondering how do I know what these commands are I can just type in a CLI commands Okay and if we go here um and we go to the CLI reference reference then we have um anything we want here right so we go down here and I just want to see what's running in S3 and I go here and I scroll on down it's going to show me commands like copy move remove sync uh MB RB uh list right and if you're looking for a particular command you go down and say okay I'll look at LS here and it will explain to me all the little options that we can do with it and then it will always give me examples right so I can see examples like that so if I wanted to move something into an S3 bucket so let's say I want to create a new S3 bucket um we'll type in a ss3 and just hit enter and it should tell us um the sub commands may if I do like help like this and if we scroll on down so I guess it just pulls up documentation let's hoping it would give us like a tiny summary okay so what we can do here because I want to create a bucket type in like buckets if you don't know something you just go a S3 C create bucket we'll go here um and then what I do is I always just go to examples here so we have a S3 API create bucket and I know it's unusual there's an S3 and there's an S3 API I don't know why that is but it's always been that way and I I just don't question it anymore and so here I can go ahead and create a new bucket so I'll just go ahead and paste that command in I do want to change it up a bit here because this name could be that has to be unique so just to make sure I get what I want I'm putting random numbers in here we're going to choose the region as us East one if I wanted to do other things here I could scroll up and look at some Flags here so uh it looks all fine to me so I think I'll go back here and just hit uh paste okay and so it created that bucket for me if I go over to S3 and we'll wait here a moment we can see that bucket now exists if I wanted to place something in that bucket what I can do is just like touch a file so I'll just say um touch touch is a Linux command to make just an empty file so we'll say um hello.txt and then it would be a S3 um it would be SP to copy it and I'm going to give it the local path hello.txt and then I need to give it the bucket address so would be S3 slth bucket name so we named it this I'm not going to try to type that in by hand because it's too hard and then I want to say where I want to put this file so I'm going to say hello.txt and if I'm right that should work as expected and so it says I uploaded that file I make my way back over to S3 I refresh there is the file if I want to copy this file back locally um all I have to do I'm just going to remove I'm going to delete the original hello txt file LS to show you that there's nothing there and what I need to do oops is just revert this so instead of saying the address here we can go and type in hello.txt and if I do LS there's the file if you don't know what the address is of the bucket um a lot of times you can go here and find it so it should be because they're always changing this UI on me but we'll go to properties here and there that's the AR uh usually a good way to find it is if you go into an actual object so if you go here it'll give you the full URL so I could have grabbed that and I could have just pasted that in there um but you know you learn after time it's not hard to remember this S3 Co SL the unique name I do want to show you how to install it by hand so here I'm in git pods um I'm not sure how I can change this to a dark theme so I really don't like this on my eyes we'll go down below here to color theme and we'll say get dark there we go and so this is a temporary workspace so when I close it it'll be gone so that'll be totally fine and so I'm going to type in AWS to see that it's not installed we're going to go over here this runs Linux by default so I already know that I'm going to use Linux we want to use version two here um so for the latest version use this command for a specific version no we just want the generic one so I'm going to go ahead and copy this whoops yes allow we'll paste that in we'll hit enter okay then we'll take the next command paste that in hit enter we'll go take the next command here we'll hit enter you can now run uh AWS so we type AWS and there's the command so uh the only thing is that if we do ads S3 LS it's not going to work because we don't have any credentials set so we'll give it a moment to think so it says unable to locate credentials you can configure credentials by running ads configure so we type in ad configure and by the way if this font is too small I believe I can bump it up like this not a great way to do it but um it works and so it says ads access key ID so what we can do is go over to IM am and what I'm looking for is my particular user over here and if you remember when we first created our account it generated out access keys I go to security credentials and so we have a key here but I need the secret so this key is useless to me so I'm going to go ahead and deactivate it just because I don't even want this key and I'm going to create myself a new key so I'm going to have an access ID in secret when ever you generate these out never ever ever ever ever show anyone what these are these are your yours and yours alone okay so this is cloud shell we're fine we're just going to close that for now and I'm going to go back over to get pods here and hit enter so that's the ID I'm going to go grab the secret hit enter paste and I want it to go to us East one to save myself some trouble uh you can change the output from Json to tables I'm going to leave it as the default here and so now if I type ABS S3 LS I get a list and so if I want to grab that file there I'm going to grab that S3 U and we type in a S3 API or sorry it's just LS sorry or sorry C and we're going to paste that link in and we're going to say hello.txt and I must have done the command wrong it's because we're missing S3 here I just hit up on the keyboard to get that command back and so I type in LS for list and I mean I have some other code here so you know again any repo you want on GitHub it doesn't really matter uh but you'll see there is that file probably shouldn't have used this one because it makes a bit of a mess um but yeah it's pretty straightforward just to one thing to show you is where those credal are stored so by default they're going to be stored in um it's going to be in the hidden directory in your root or your home directory called ad. credentials so if I just do like LS here you can see there's a config file and a credentials file cat lets me print out the contents of that file so I go here and it's saying the default region is Us East one this is a tomble file even though it doesn't have a do toml on the end of it I just know by looking at it that's what it is config lets you set uh defaults that are going to apply to all of your credentials and then uh within the credential file here is the actual credentials so if you wanted to just set them you could go in here and just set them in here you can also set multiple credentials so if I go here and I'm going to open up and buy because I'm not sure how to open it up here in the main one but if you wanted multiple accounts you do like exam Pro and then you just repeat these with different keys right and then when you wanted to use an a CLI command actually I'm going to go back here for a second okay and if you want to um and by the way I'm using VI never use Vim it's it's a bit tricky to use uh you might want to use Nano instead if you're if you're kind of new to this um because this will use like regular key key cuts and then down below it shows you what it is so this is like control X or alt X alt X NOP control X there we go um but anyway so if I go into this file and I delete the original one right and now I try to do um this command here even though we already have that file it should either hang or complain I Could Just Kill that by doing control C if I do ads S3 LS notice that it's hanging so unable to locate credentials because there's no default one but if I go and I put profile and I say exam Pro all right it it'll now use that profile so that's the way we do it um but hopefully that gives you kind of a a crash course into the CLI um so yeah there you go okay so I'm just going to go ahead and close these off you can delete this bucket if you don't want it it's probably a good idea to delete this here and I'm just going to say permanently delete okay very very good okay close that off and yeah that's the introduction to the CL so yeah there you go [Music] hey this is Andrew Brown from exam Pro and we are taking a look at software development kits uh so a software development kit or SDK is a collection of software development tools and one installable package so you can use the AWS SDK to programmatically create modify delete or interact with aabus resources so the aabus SDK is offered in a variety of programming languages so we have Java python node.js Ruby go.net PHP JavaScript C++ and so here would be an example of some Ruby code where we are creating ourselves um an S3 bucket so we're just uploading a file there [Music] okay okay so now what I'm going to do is show you how to use the itus SDK and so uh to do that uh we're going to need some kind of IDE um a a basically code editor and so we had looked at get pods which is a third party service and that's fine but let's take a look at Cloud9 because that is built into AWS so if I just type in Cloud9 here and go over to IDE I'm going to launch myself a new environment so I'll hit create I'm going just say my SDK environment EnV if you if you have our time typing environment like me and we have some options so create a new C2 instance for direct access create it via assistance manager run a remote with SSH I'm going to leave it as the default then we have the option to choose what size I want to leave it on T2 micro because that is the free tier then we're going to scroll on down we have Amazon Linux 2 Linux Ami I'm going to stick with Amazon Linux 2 and we can have it turn off after 30 minutes a great option for us here and we'll go ahead and hit next and we'll hit create environment and so we're going to have to wait a little bit for this to launch it'll take a few minutes as that is going let's go to Google type in adus SDK um to get to the main page and so the idea here is that there are a bunch of different languages you can use C++ go Java javascript. net node.js PHP Python and Ruby uh and so I'm a really big fan of Ruby I've been using Ruby since 2005 and so that's what we're going to do it in it's also really easy to use and it's a really great language so um you know down below it's just showing you that there's all these different things but if we go down to the SDK here and we click on Ruby we we have examples where we have the developer guide the API reference and so this tells you how to get started even here it's saying like hey go get started with Cloud9 which is great as well I suppose um and so here it might show you how to install it um and when we open up the API references this is what it looks like so a lot of times when I want to do something I know it's like I want to do something with S3 so I scroll on down here and I look for S3 right and then I just kind of like uh scroll around and look you know what I mean sometimes you have to expand it go into the client every API is a slight different so you do have to kind of figure out how to navigate that I'm actually under S3 right now so I'm looking for the client and I just know this for memory that this is where it is so first you create yourself a client and then you can do API operations so if I wanted to like list buckets I just search the word list and I just scroll on down and there it is I click into that and I have an example of how to list a bucket so I'm going to go back to Cloud9 and it is ready and it started in dark mode um if yours is not in dark mode which really honestly why wouldn't you want dark mode mode um if we go up to I think it's like file where is it preferences here got to C the Cloud9 option and I'm just seeing if it like remembers my settings I really like two two soft tabs here but uh there should be something for themes down below and so um that doesn't seem like that's it used to be like a oh here it is if you go here and just choose like whatever you want I'm on jet dark here and so if it's on classic light or something you don't like you can fix that there um but I'm just going to go here and just fiddle with my settings because I really like to use Vim uh keys I don't recommend this if you are uh to change this if you are not a programmer but I'm just going to change it so that I can type here efficiently so I'm just looking for the option here and they moved it on me where did they move it probably be like key bindings ah bin mode there we go again don't do that this is just for me so I can uh move around in a different way so what I want to do and by the way it looks like this default screen we could have just changed it here I just clicked through all that for nothing was here the entire time but um what we need is we need to make sure that we have our credentials so if we type in OS um S3 LS that's like my sanity check that I always like to do to make sure I have credentials notice that we didn't have to set up any credentials it was already on this machine which was really nice and so I'm going to create a new file here and it's okay if you don't know anything about Ruby we're just going to have fun here and just follow along so I'm going to do example. RB I'm going to make sure Ruby's install by doing Ruby Hy and V so it is install which is great uh you need a gem file so say new gem file here and if we go back to the installation guide uh we need the gem SDK here actually I'm going to look at how to generate a gem file gem file because there's some stuff that goes to the top of those files like this here I think we just need this line here so I'm just going to grab that whoops paste that in allow good and uh I you can do gem ads SDK that will install everything but uh we only want to work with S3 and so this is going to vary based on each language but I know that if we type in S3 we'll just get S3 and that's all we really need and so once we have that what we'll need to do is use a bundle install so we're going to make sure we're in the correct directory I'm going to type in LS down below notice the gem file is there and by the way if the fonts are too small I should probably bump those up let's see how we can do that uh editor size font user settings good luck trying to find a day um project no you think it'd have to be under user settings right ah here it is okay so um this is for probably the editor so we'll go to 18 here Co code editor here I'm I'm trying to find the one for the terminal probably over here there we go much easier okay so notice we have example. RB and Gem file so we're in the correct directory make sure I save that I'm going to type in bundle install that's going to install the gems give it a moment there it's going to fetch notice that installed um the ads sdks S3 and everything that it was dependent on and so now if we go over to our example. RB file really when you're coding for the cloud you can pretty much copy paste everything so over here we found this code here for S3 list buckets um so I'm going to go ahead and paste that on in okay and I know it looks really complicated but we can quickly simplify this so I know that this is just the output so I don't need that okay and in Ruby you don't need parentheses or curlies if uh if you don't have any things there and so all I need to do is Define a client so if I click uh if I go to the top here of this file I think we're in the client right now all the way to the top all the way to the top here that's what we need okay and so I'm going to paste that in now uh we can set the region here so I'm going to say Us East one right and then you'd have your cred um because the credentials are on the machine in the um uh credentials file they're going to autoload here I believe so I don't think I need to set them so I'm just going to take that out here for a second okay and I can do this if I want this is just slightly different syntax it might be easier to read if I do it this way for you okay and I don't need double client there so we have the client I like to name this like S3 so I know what it is and I put puts for the response FS I'm going to do inspect and so puts is like print okay and so now if I type in bundle exact let's just make sure that it's in the context of our bundler file Ruby example. RB um we have a syntax error on this line here unexpected thing here oh it's because of this it's because I commented out so I'm just going to do curly parentheses comment out here okay actually to make it a bit easier I'm just going to bring this down like this okay and we'll paste that there okay and we'll try this again un initialized constants ad to oh yeah we have to require it so we have to require ABS SDK S3 I think we'll hit up and uh we got a struck back so it is working we are getting an object back if we want to play around with this a bit more I'm just going toall another gem called pry pry allows us to um inspect code so we're going to do bundle install and I'm going to go back to Ruby here I'm going to put a binding pry in here and then if I hit up and I do bundle EXA Ruby example. RB um I installed it right B install yes undefine method pry oh because I have to require it again bad habit here okay we'll hit up and so now I have an interactive shell and I can kind of analyze that object so we have a response so if I type in RSP here I have the structure object I can type in buckets here okay and it's showing me a bucket I can give it get its name um oh I think it's an array so I think I'd say like I'd say like zero here or I could say first this is just the how the Ruby language works we say name I get the name creation date okay so you get the idea whatever you want to do you know you search for it you just say I want to delete a bucket I want to create a bucket right and you look for it so I say create bucket here I click on this and I can see the options and they are always really good about giving me an example and then down below they always tell you all the parameters that you have there so that's how the SDK Works uh but yeah the credentials were uh soft loaded here but you could easily provide them yourself I should just show you that before anything else just cuz there's some variations there um and I'm just trying to look for it because it is separate code so you could do this this is one way of doing it so you could do it separate from the code so if you only wanted to configure it once right because you could you could have a lot of clients you wouldn't want to keep on like for each client you wouldn't want to put region in every time so I could take this and put this right here okay and this this is the file here where we have the credentials so this would be our um our access key and our ID and so you never want to put your code directly just in here so if I open up if you go cat you would never want to do this but I'm just going to show as an example here uh credentials oops I got to get out of this exits credentials oh do they not even show it on this machine which would be smart we wouldn't really want to see our credentials here uh hit up say LS oh no it's there okay cat whoops credentials there it is okay so you know if we look here we can see that there are credentials set it's a little bit different we have this like session token I guess it's to make sure that this expires over time but if I was to take these okay and I was just to paste them in here that's one way you would do it um you never ever want to do this ever ever ever ever you never want to do this because you'll end up committing that to your code um so this is really dirty to do so I don't ever recommend to do it um if you wanted to have this apply to everything you could put it up here and so now when we call the client we don't have to do it um of course if the they're loaded on the machine you don't have to do it the other thing is like if you if you want you could load them in Via environment variables that's usually what you want to do so you say adabs uh access key right and then we say environment databus access secret and so you'd set those by doing I think it's like an export um environment variables set in Linux you think I know after like 15 years of doing this but I never remember so you type in export so you go down into oops here you type in export and you just say something like I'm going to just show an example to see if it works so I'm going to say hello world okay and if I do uh hello like that Echo see it prints it out so that's how you would set it you'd set those there but there's actually very specific ones that aabus uses for um the API and it's these ones here so you always want to use those okay so you put that in there and that in there but of course you know like if they're already set in your machine you don't have to even specify those cuz it would autoload those environment variables I don't think they're set right now if we type in Echo just take a look here is are they going to get autoloaded here no so but anyway so we could go here just as an example and well actually they just show them right here so you see your access key but we go and we type in um export and I'm going to paste the key in there and I'm going to go to the the front of it we're typee adus access key ID equals enter and so now if I did echo on this ads access key ID okay shows up but I just want to show you how it can kind of vary and those conditions around it so yeah that is the adus SDK um and yeah a lot of times you're just copying pasting code and just kind of tweaking it you're not really writing uh real programming okay so hopefully that is less intimidating so I'm just going to close these off and I want to close down this Cloud9 environment um I might have to reopen this up in another Tab and go to the Management console here and then go over to Cloud9 and just close this tab and then while go ahead as and delete this environment oops I'll just type delete here even if you didn't it would turn off after 30 minutes and you have that free tier so it's not that big of a deal it's up to you whether you want to use Cloud9 or git pods Cloud9 is really good because it allows you to um uh it allows you to uh use it runs on a virtual machine right so you have a a container runtime there and so it's very easy to run containers on it um whereas in like I've had some issues with G pods but um yeah those are the two [Music] okay let's take a look at adus Cloud shell which is a browser based Shell built into the adus Management console and so Cloud shell is scoped per region it has the same credentials as the loged in user and it's a free server so this is what it looks like and the great thing about this is that you know if you have a hard time setting up uh your own shell or terminal on your computer um or maybe you just don't have access or privilege to do so it's just great that Abus makes this uh available to you and so what you can do is click the shell icon up at the top and that will expand this here some things to note about Cloud shell is that it has some pre-installed tools so it has the CLI python nodejs git make pip pseudo tar t-x Vim W get vim and more it includes 1 gab of storage free per adus region it will save your files in a home directory available for future sessions for the same Aus region uh and it can support more than a single shell environment so it has bash Powers shell and zsh um and so Adis Cloud shell is available in select regions so when I was in my Canada region I was like where's the little shell icon but I realize it's limited for some areas okay [Music] hey this is Andrew Brown from exam Pro and we are taking a look at infrastructure as code also known as IAC and this allows you to write a configuration script to automate creating updating or destroying your Cloud infrastructure the way you can think of I it's a blueprint of your infrastructure and it allows you to easily share version or inventory your Cloud infrastructure so adus has two different offerings for IAC the first is cloud formation uh a com commonly abbreviated to CFN and this is a declarative IC tool and then you have a cloud development kit commonly known as cdk which is an imperative IAC tool so let's just talk about the difference between declarative and imperative and then we'll look at these tools a little bit closer uh each okay so declarative means what you see is what you get it's explicit it's more verose but uh there is zero chance of misconfiguration unless the file so big that you're missing something uh commonly declarative files are written things like Json yaml X ml so for cloud formation it's just Json and yaml uh and so that's that side there so for imperative you say what you want and the rest is filled in so it's implicit uh it's less forbose you could end up with some misconfiguration that's totally possible uh but it does more than declarative and you get to use your favorite programming language maybe python JavaScript actually cdk does not support Ruby right now but I just have that in there just as a general description of what imperative is okay all right so just a quick look at cloud formation so cloud formation allows you to write infrastructures code as either Json or yaml the reason why was adus started with Json and then everybody got sick of writing Json and so they introduced jaml which is a lot more concise which you see on the right hand side so cloud formation is simple but it can lead to large files or is limited in some regards to creating dynamic or repeal infrastructure compared to cdk Cloud information can be easier for devops engineers who do not have a background in web programming languages a lot of times they just know scripting and this basically is scripting since cdk generates out Cloud information it's still important to be able to read and understand Cloud information in order to debug IAC Stacks knowing cloud formation is kind of a cloud essential when you go into the other tiers of AWS um like Solutions architect associate professional or any of the associates you need to know Cloud information inside and out [Music] okay okay so what I want to do now is introduce you to infrastructure as code and so we're going to take a look at cloud formation and so we were just using Cloud9 for the STK so we're going to go back and create ourselves a new Cloud9 environment because we do have to write uh some code so I'll go ahead and hit create here and I'm going to just say uh CFN that's sort for cloud formation example and we'll hit next step and we'll create ourselves a new environment T2 micro Amazon X2 is totally fine we'll hit next it'll delete after 30 minutes we'll be fine we're within the free tier we're going to give this a moment to load up um and remember you can set your theme your your keyboard mode whatever you want as that loads and as that's going we're going to look up cloud formation and so cloud formation is very intimidating at first but once you get through the motions of it it's not too bad um so we'll go to the user guide here as we always do if you go to the getting started it's going to just tell us some things it's going to read about yaml files um I don't think I really need to read much about this here here so I think we'll just go start looking up some codes so something that might be interesting to launch as an ec2 instance Cloud information so that's what I'll do is I'll type in what I want so in ec2 instance and I'll just start pasting in code so if we scroll on down below here going to go to examples because I want a small example here this is something that I might want to do and we're going to give that a moment here it's almost done you can do it ad come on as that is going I'm going to open a new tab I'm going to make my way over to cloud formation okay and um you can see I have some older Stacks here notice Cloud9 when we create an environment actually creates a cloud formation stack which is kind of interesting um but if we go here we can create a stack and we can create a file and uploaded here so okay this is good I'm going to go ahead and make a new file we're going to call it template. yaml um just so you know yaml can be yml or Y ml there's a big debate as to which one you use um I think that adabs likes it when you use the full version so I just stick with yl I'm going to double click into that and so in the cc2 example I'm just going to copy this okay and I'm going to paste this in here and I'm going to type in resources oops capital okay so that's a resource I want to create um when you create Cloud information you always have a template version so I just need a basic example here at the top I guess that's a simple one is like a Hello World Bucket maybe we should do a bucket because it'll be a lot easier we don't have to make our life super hard here okay um but what I'm looking for is the version because that's the first thing that you specify I'm just trying to find it within an example here oh for freak's sakes cloud formation version if I don't have the format version it's going to complain there it is okay so we'll copy that we'll go back over here we'll paste that in there it might be fun to do like an output here so I'm going to do like an out put outputs and uh maybe instead of doing this we'll type in ads S3 C formation because what I'm looking for is what we can set as output so we'll say return values here um maybe we just want Returns the domain name so we'll just say um value ref that that's going to get the reference for it and we have to say hello bucket uh type string say outputs cloud formation example and even though I've written tons of cloud formation it's just like if you're not doing it on day and day out you start to forget what it is so here for outputs we need a logical ID description value and export so um that is what I want so I'm going to go ahead and copy that back here this is just so that when we run it we're going to be able to observe an output from the cloud formation file okay so the logical ID is whatever we want so hello bucket domain it's funny because this is how you do do um kind of that would be the format for terraform I was getting the mixed up so the domain of the bucket the value here is going to be ref hello bucket domain name that's the output export value to export uh can I get an example here B name oh you know what export is for uh cross Stacks we don't need to do that okay so that's fine so what we'll do is set that and we'll take out our old one and so this should create us an S3 bucket so with Cloud information you can uh provide a template here by providing a URL or you can upload a file directly so um I'm just trying to decide here how I want to do this you can also use a sample file or create a template in the designer I'm going to go over to the designer because then we can just like paste in what we want so if I go over to yes enel here and we go back over here I copy this I'm just going to paste this in here and we're going to hit the refresh button nobody ever uses the designer but this is just kind of a easy example for me to uh place this in here it's not really working maybe I got to go to template dude here refresh there we go so there's our bucket it's nice to have a little visualization and I believe this is going to work as expected so now that we have our designer template I think if we hit close what's this button say validate template probably a good idea validating the template template contains errors unresolved resource dependency uh in the output block of the template hello domain seems like it should be fine let's go whoops let's go back over here that's what I did I said reference that value oh uh maybe it's get a trib okay it's get ATT sorry get a tri cloud formation can't remember there's an r on the end of it oh it's just ATT this is if you're trying to get a return intrinsic value so a reference is like what the default one is but when every time we do like a logical name and attribute that's how we get that there so uh what I'm going to do here is just hit refresh and I'm going to validate that one more time now it's valid if I hover over this is going to upload it create the stack we could save this save it oh we can save it an S3 bucket so we'll say hello bucket and so now we have this URL so I'm going to copy it honestly I never use this editor so it's kind of interesting I'm going to leave and we probably could have hit create stack but I just find it a bit easier if we just kind of do it through uh this here so go back create the stack we're going to paste in the URL we're going to say next and we're going to say uh my new stack and I didn't see what the name of the bucket was oh there's no name so it's going to randomize that's perfect so we'll go next we have a bunch of options here we'll H hit next we'll give it a moment here I guess we have to review it create the stack and this the part where we watch so it says create in progress and we wait and we hit refresh and we can see what's happening trying to create a bucket and if we go to resources this is this is a lot easier to track because you can see all the resources that are being created if you notice that when you use the C uh when you're using database management cons and create S3 bucket it's instantaneous but like with cloud there's a bit of delay because there's some communication going on board but here it is and notice if we go to our outputs this is the the value of the bucket domain name if we were to make it with uh self-hosting which is not what we're doing with it we could also have an export name which would be used for cross referencing Stacks which is not something we uh care to do um but yeah that's how you create a stack that way um but you know we can also do it via the SDK here so what I can do um is look up what is the Adis uh CLI cloud formation CU they have their own commands here if I go here there's a new one and there's an old one so if we go create stack yeah there's things like this like create stack update um so if we wanted to do it this way okay and I copied this here just going to put this in my read me here for a second uh so here what you do is you say my new stack and you can provide the template URL or you could specify the local path here so we have like a template body so I'm going to go ahead and grab that okay this would be like yaml and um I need to specify this file here so template. yaml and I'm just going to go PWD here to get the full path okay and I'm going just paste that in there whoops okay I'm going to do LS okay so that gives us the full path to the file we can also specify the template URL um and so this should work as well if I take this and paste that on as a command unable to locate parameter file oh there's three three triple slashes there we'll just fix that there paste unable to load pram file no such file directory and there's a t missing okay be like don't be like me and make sure you don't have spelly mistakes okay I can type clear down here so I can see what I'm doing we'll hit enter whoops unable to load the parameter file no such file or directory home well I you didn't want the for slash so another we can try to do I think it will take it relative so if I do this it should work I don't ever remember having to specify the entire path and error occurred while calling the create stack my stack name already exists if I go back over here give this a refresh oh that's what we named our stack the the one that we did so I'm going to say stack two okay template format unsupported structure when calling the create stack operation are you kidding me I do this all the time template body yaml file cloud formation unsupported structure take a look here oh you know what I think uh this one's out of date that's why so what we can do is go to our old stack here and we can actually see the temp I can go ahead and copy this whoops and we can go ahead and paste that in there and then now what I can do so you know that's that's the reason why it wasn't working okay so we'll hit enter um unsupported structure it should be supported let's see if Cloud information can help us out um apparently there was very unhelpful error message formatting so try the validate template option I wonder if if we could just do this maybe if that would help here I'm just hitting up to try to run it again nope I guess we can try to validate it here it's like I'm not having much luck here today so we'll just say this here maybe it's not even loading that file where it is so there's no errors just going to make this one line okay created so for whatever reason I must have had a a bug there and so putting sometimes putting on one line helps that out because I must have had an obvious mistake there and now we can see the stack is creating it's doing the exact same thing it's creating a different bucket though if we go over to our S3 here again you know you don't need need to be able to do this yourself to pass the exam it's just so I'm just trying to show you like what it is so you kind of absorb any kind of knowledge about what's going on here notes down below it uses the stack name followed by uh the re The Logical name of the resource there okay um and what we'll do is wait for that to create once that's created we can go ahead and delete these Stacks we could also use the a cloud information to say like delete stack but I don't want to uh bore you with that today and so we'll hit refresh here wait for those to vanish okay those are gone uh what I'm going to do is kill this Cloud9 environment uh if there's a way to do it from here I have never known how to do it go back to your dashboard well that's nice to know we'll go ahead and just delete this okay we'll close that Tab and so now we are all in good shape and so that was our introduction to Cloud information [Music] okay let's take a look here at cdk so cdk allows you to use your favorite programming language to write infrastructure as code and technically that's not true because they don't have Ruby and that's my favorite but anyway uh some of the languages include NOS typescript Python java.net and so here's an example of typescript typescript was the first language that was um introduced for cdk It's usually the most upto-date so not always does cdk reflect exactly what's in cloud formation but I think they're getting better at that okay so cdk is powered by cloud formation it generates out cloud formation templates so there is an intermediate step it does sometimes feel a bit slow so I don't really like that but you know it's up to you uh cdk has a large library of reusable Cloud components called cdk constructs at constructs dodev this is kind of the concept of terraform modules and is really really useful uh and they're really well ridden um and they can just reduce a lot of your effort there CD cdk comes with its own CLI um and I didn't mention this before but cloud formation also has its own uh uh CLI okay cdk pipelines uh are are allow you to quickly set up cicd pipelines for cdk projects that has a big pain point for cloud formation where you have to write a lot of code to do this whereas um this cdk has that off the bat makes it really easy for you cdk also has a testing framework for unit and integration testing I think this might be only limited to typescript because I didn't see any for the rest of the languages but um you know I wasn't 100% sure there uh this one thing about cdk is that it can be easily uh confused with SDK because they both allow you to programmatically work with AWS uh using your favorite language but the key difference is that cdk ensures uh itap poent of your infrastructure so what that means that's such a hard word to say but what that means is that um you know if you use this cdk to say give me an a virtual machine you'll always have a single virtual machine uh because it's trying to manage the state of the file whereas uh when you use SDK if you run it every time you'll end up with more and more servers uh and it's not really managing States so hopefully that is clear between the difference [Music] there okay so we looked at cloud formation but now let's take a look at cdk cloud formation or cloud formation Cloud development kit it's just like cloud formation but you use a a programming language in order to uh Implement your infrastructure as a code I don't use it very often I don't particularly like it but um you know if you are developer and you don't like writing Cloud information files and you want to have something that's more programmatic you might be used to that um this I think should be deleting cuz we were deleting the last one here and notice how it's grayed out I can't select it so don't worry about that create a new one we'll say cdk example we'll hit next T2 micro ec2 instance Amazon X2 you know the drill it's all fine here we're going go ahead and create ourselves a new environment we're going to let that spin up there and as that's going we're going to look up uh adus cdk so it was cdk um and we probably want to go to GitHub for this okay because it is open source and so I want to go to getting started and I have used this before but I never can remember how to use it probably the easiest way to uh use this is by using typescript so here's an example initialize a project make directory cdk oh first we got to install it right so we give that a moment so this is you know how we did like bundle install this is like the same thing but for uh typescript install or update the itus cdk CLI from npm we recommend using this version etc etc so again we're just waiting for that to launch but uh as we wait for that it's very simple we're just going to install it create a directory um go into that directory initialize the example here it's setting up an sqsq which is um that's quite a complex example um but you can see it's code right and then we run cdk deploy and we'll deploy it and then hopefully we'll have that resource so again we're just waiting for Cloud9 there we go so Cloud9 is more or less ready a terminal seems like it's still thinking and we have a JavaScript one which I do not care about there we go there's our environment we're going to make sure we have mpm so we can type in mpm great it says version 8.1.0 and so this is asking for 10 okay I don't know if this gives us like MVM installed MVM it does so what we can do is do MVM list that stands for node version manager Ruby has one as well and so it's telling us what version we're on I want to update um looks like we have a pretty uh pretty new version but what I want is the latest version of oh but that's node version that's not necessarily mpm so we'll do node version Oh 17 okay we're well well in the uh range of the new stuff so what I'm going to do is scroll on down we're going to grab this link here or this uh code here hit enter and that's going to install the adus cdk so it says uh file already exists oh so maybe it's already installed in the machine um cdk we'll type in cdk because of course adus wants to make it very easy for us this soft has not been tested with what was that warning uh with node 1701 you may encounter runtime issues great AWS you're like the one that installed this stuff here so we get a bunch of the commands which is great and so what we'll do is follow their simple instructions we'll say hello cdk we will CD into this and um now what we can do is run cdk andit and this language here and so that's going to do a bunch of stuff creates tons of files it's going to vary based on what you're using like which language because cdk comes available in a variety of languages so if we type in ads cdk um documentation here notice up here python java.net so I think it has more than just those three languages but um you know I wish it supported more like yeah see here is C Java but I I really wish there was a ruby so we'll give this a moment here to get installed and I will see you back here when it is done okay okay uh it turns out I only had to wait like a second there but it says there's a newer version of the cdk you probably should install it but I just want to get going here so as long as I don't run into any issues I do not care um but anyway so looking at this and I again rarely ever look at this but I'm a developer so it's not too hard for me to figure out but under the lib this is our stack that we're creating and here is it is loading in sqs it's loading in SNS and then the core Library it's creating an sqs q and it's setting the visibility of that timeout it's also creating an SNS topic so those are two resources that we expect to be created if we scroll on down to the getting started it just says cdk deploy so what we'll do is go ahead and hit enter and let that do whatever it wants to do and it is thinking there we go so here we have IM statement changes so it's saying this deployment will potentially make potential sensitive changes according to your current security approval options there is there may be security related changes not in this list do you want to deploy sure we'll hit Y deploying creating Cloud information change set so cdk is using cloud confirmation underneath it's not complicated um and as that is going what we'll do is we'll make our way over to our itus amazon.com console and if we go over to cloud formation we'll see if we see anything yet so it's creating a stack here we can click into it we can go over to our events see that things are being created this is always a confusing so I always go to resources to see what is individually being created and they're all done so we go over here and they exist so here it says that we have a queue called this right sometimes they have links you can link through it so notice here I can click on the topic and get to that resource in SNS which is nice for sqs I'm just going to type in sqs enter uh and there it is okay so we don't really understand what those are we could delete the stack this way there's probably a cdk way to delete the stack so uh cdk destroy I assume that's what it is destroy okay so we'll type in cdk Destroy give it a moment we're going to say yes okay it's deleting in progress we can even go back here and double check still thinking and again you know if we deleted these for real it would take like a second but uh you know sometimes they're just slow sometimes it's because a resource can get hung as well um but uh I don't think anything is problem so here we can see what the problem is not not necessarily a problem but it's just the sqs is taking a long longer time to delete where the SNS subscription is a lot faster so I'll just see you back here in a moment okay okay so after a short little wait there it finally finished uh I just kept on refresh until I saw it deleted and so it's out of there and so we'll get rid of our Cloud9 environment since we are done with it so type in Cloud9 up at the top and we'll go ahead and delete and we will go ahead and delete this here thank you and we will go back to our adabs amazon. console here just so we can get our bearing straight here and there we [Music] go all right let's take a look here at the adus toolkit for vs code so adus toolkit is an open source plugin for vs code to create debug deploy itus resources since vs code is such a popular uh editor uh these days I use Vim but it's very popular um I figured I should make sure you're aware of this um plugin so it can do four things you get the Abus Explorer this allows you to explore a wide range of adus resources linked to your adus account uh and sometimes you can view them sometimes you can delete them it's going to vary per service and what's available there then you have the adabs cdk Explorer this allows you to explore your Stacks defined by cdk uh then you have Amazon elastic uh container service ECS this provides intellisense for ECS task definition files intell sense means that when you type uh and you uh you'll get like autoc completion but you'll also get a description as to what it is that you're typing out then there is servess applications and this is pretty much the main reason to have Theus toolkit allows you to create debug deploy Serv applications via S and CFN and so uh there you can see the command pallet and you can kind of access stuff there okay [Music] let's take a look here at access key so an access key is a key and secret required to have programmatic access to adus resources when interacting with the adus API outside of the adus Management console so uh access key is commonly referred to as adus credentials so if someone says adab credentials generally you're talking about the access key not necessarily your um username and password to log in so a user must be granted access to use access key so when you're creating a user you can just checkbox access key um you can always do this after the fact but it's good to do that as you're creating the user and then you can generate an access key and secret so you should never share your access keys with anyone they are yours if you give them to someone else is like giving them the keys to your house it's dangerous uh never commit access keys to a codebase uh because that is a good place uh for it to get leaked at some point you can have uh two active keys at any given time you can deactivate access Keys obviously delete them as well access Keys have whatever access a user has to Aus resources so uh you know if you can do it in databus Management console so can the key so access keys are to be stored in the ads. adabs credentials uh file so um and if you're not familiar with Linux this Tilda here this actually represents your home folder so whether you're on Windows or Linux that's going to be your home folder and then you have this period AWS that means it's hidden folder but you can obviously access it and so in it it's just a toml like file I think it's toml um but I never 100% verified that it's toml it looks just like toml uh and so what you'll have here is your uh default profile and so this is what you would use um or this is what uh any of your tools you use like the CLI or anything else would automatically use if um if you did not specify a profile you can of course store multiple access keys and then give it a profile name um so if you are doing this for the first time you might just want to type in ad config and it'll prompt you and you'll just enter them in there as well I think that's set the default one when you're using the SDK uh you would rather probably use environment variables because this is the safest way to access them when you are writing code all right um so there you [Music] go all right let's talk about access Keys access keys are are very important to your um and so what we'll do is go to IM if you are the root user you can go in and you can uh generate access keys for people um but generally you're doing it yourself for your own account so I go to users I'm going to click into mine here and we'll go over to Security credentials and here you're going to notice access keys and one thing that is interesting is that you can only ever have two access keys at a time so if I hit create I'm just going to close that notice that the button is gray out I can uh uh deactivate them if I feel that I haven't used them in a while and I can make them active again so I can bring them back into access or what I can do is um make them inactive right and then I can delete them and so what I recommend right even if you do not want to programmatically be using your account for anything you always want to fill up both these and the reason why and this is for security reasons is that if somebody wanted to come in and uh uh get into your account what they would do is they would try to find find a user um where they have access to them and then they would try to generate out a key so if both these keys are taken up so if you generate up both these Keys okay and this is the one you want to use you deactivate the other one okay we're not going to use that one and so now there's no way for them to fill up that other slot okay and so that is my strong recommendation to you but there's again only ever two here I'm just going to uh Delete both of these so that when we want to uh do what whatever next in a tutorial we'll go generate that out okay go ahead and clear that out so hopefully that is enough for you to understand what to do with these access Keys okay so I'm going to go back here there you [Music] go let's take a look here at adus documentation which is a large collection of technical documentation on how to use adus Services which we can find at doc. adab. amazon.com uh and so this is kind of like the landing page where you can see all the guides and API references if you expand them in there uh into ec2 and you click on the user guide you can see HTML in PDF format Kindle and you'll notice there's a link to GitHub and that's because all of these docks are open source and you can contribute to them if you choose to do so I've done so multiple times in the past it's quite fun so adus is very good about providing detailed information about every ad service and the basis of this course and any AD certification will derive mostly from uh the adus documentation so I like to say that I'm not really coming up with new information I'm just taking what's in the docs and trying to make it more digestible and I think that's the thing is like the docks are really good you can read them end to end but they are very dense um and so it can be a bit hard to figure out what you should read and what you should not um but uh they are a really great resource and you should spend some time in there [Music] okay so I just want to quickly show you the ads documentation like give you a bit of a tour of it so if we go to ab. amazon.com and type in docs and I'm sure you might have seen this through other tutorials but the idea is that you have basically documentation for basically any possible service that you want and a lot of times you'll click into it and what you'll get are these little boxes and they'll show you different guides and it's going to vary based on service but a lot of times there's a user guide there's an API reference those are the two that you'll see there maybe we go to something simpler like S3 that might be a simple example yeah user guide API API reference and so all of these are on GitHub right if you open these up the documentation is here if you find something you don't like you can submit issues and uh and correct things you can even submit your own examples I have um I have uh committed uh example code to the uh docs specifically for AI services so you might be looking examples that I implemented or even Ruby examples since I really like to promote Ruby on AWS you can as a PDF or you can take it as an HTML a lot of times you're going to the user guide and the way I build the courses here is I actually go through and I read these end to end so you know if you wanted to do that and you wanted to be like me uh you can do that or you can just watch my courses and save yourself the trouble and not worry about everything that is here but generally the documentation is extremely extremely good there are some exceptions like Amazon Cognito where the content is good but it's just not well organized so I would say it best out of every other provider they they have the most complete documentation uh they generally don't keep their examples or like tutorials within here it's usually pretty light they'll have some examples um but like they like they have adus Labs separately so you type Aus Labs GitHub right you go here and a lot of stuff is in here instead so you have a lot of great tutorials and examples over there okay um but yeah pretty much that's all there is to it is there consistency between documentations no they kind of vary um you know but uh it's all there is my point and they're always keeping up to date so yeah that's all you need to know about the inabus [Music] documentation hey this is Andrew Brown from exam Pro and we are taking a look at the Shared responsibility model which is a cloud security framework that defines the security obligations of the customer versus the cloud service provider in this case we're talking about AWS and they have their own shared responsibility model it's this big ugly blob here um and the thing is is that every single CSP has their own variant on the model uh so they're generally all the same but some visualizations make it a little bit uh easier to understand or they kind of uh include a little bit more information at different parts of it and so just to get make sure that you have well rounded knowledge I'm going to go beyond the aws's shared responsibility model and just show you some variants uh there's also variants not just per uh CSP but also the type of cloud deployment model and sometimes these are also scoped uh based on a cloud service category like compute or machine learning and these can result in specialized share responsibility models so that's what we'll look at in this section [Music] okay all right so let's take a look at the ad shared responsibility model and so I've reworked the graphic because it is a bit hard to uh digest and so I'm hoping that this way will be a little bit easier for you I cannot include the in and of here just because we're limited for space but don't worry we'll follow that up with the next slide here so there are two people that are responsible or two um organizations that are responsible the customer and AWS and on aws's side they're going to be responsible for anything that is physical so we're talking about Hardware Global infrastructure so the regions the availability zones The Edge locations the physical security so think of all that Hardware that's there those data centers um everything like that then there's also software the services that they're offering and so um you know this extends to all their services but generally it breaks down to the four core and so we're talking about Compu storage database and networking okay and when we say networking we're talking about like physically setting up the wires and also you know the software to set up the routing and all that kind of stuff there uh now looking at the customer side of it they're responsible for configuration of managed services or thirdparty software so the platforms they use so whether they choose to use a particular type of os uh the applications so if they want to use like Ruby on Rails uh am so identity and access management so if you uh create a user and you grant them permissions if you give them things they're not supposed to have access to that's on you right then there's configuration of virtual infrastructure and systems so that would be choosing your OS that would be uh the networking so there could be networking on the um uh the virtual machines themselves or we could be talking about Cloud networking in this case then there are firewalls so we're talking about virtual firewalls again they could be on the virtual machine or it could be configuring like knackles or security groups on AWS then there's security config ation of data uh and so there is client side data encryption so if you're moving something from S3 from your local machine to S3 you might need to encrypt that first before you send it over then there's server side encryption so that might be turning on server side encryption within S3 or turning it encryption on your EBS volume then there's networking traffic protection so you know that's turning on VPC flow log so you can monitor them turning on it was guard Duty so that it can detect anomalies with your traffic or or activities within your um adus account and then there's customer data so that's the data that you upload on the behalf of your customers or yourself and what you decide to um you know like what levels of sensitivity that you want to lock it down do you want to use Amazon Macy to see if there's any public facing uh personally identifi information that's up to you so there's a lot here and honestly it's a lot easier than you think um instead of thinking about this big diagram what I do is I break it down into this and so we have the in and the of and that's what I said I could not fit on the um previous slide there the idea is customers are responsible for the security in the cloud so that's your data and configuration so if it's data that's resigning on there or there something you can configure you are responsible for it on the ad side they are responsible for the security of the cloud so if it's anything physical or Hardware the operation of managed services or Global infrastructure that's going to be on them and this in and of thing is very important for the exam so you should absolutely know the difference between the two this is kind of an adist concept I don't see any other cloud service provider talking about in and of uh so you definitely need to know it [Music] okay so one variant we might see for the uh shared responsibility model would be on the types of cloud computing this could also be applicable to the types of uh deployment models but we're doing types of cloud computing here and so we have the customers responsibility and then the cloud service provid responsibility so we're seeing on premise infrastructure as a service platform as a service and software as a service and so when you are on Prem you're basically responsible for everything apps data runtime middleware OS virtualization servers storage networking basically everything and just by adopting the cloud you're almost cutting your responsibilities in half here so now the cloud service provider is going to be responsible for the physical networking uh the physical storage those physical servers and because they're offering virtual machines to you they're setting up a hypervisor uh on your behalf so virtualization is taking care for you and so um you know if you launch an ec2 instance you know you're going to have to choose the OS so that's why you're responsible whatever middleware there the runtime so whatever kind of programs you install on it uh the data that resides on it and any kind of like major applications okay then we have platform as a service uh and so you know the cloud service provider is going to take even more responsibility there so when we're talking about this we're thinking like a elastic beant stock right so you know the you just choose what you want and it's all managed so you might say I want a ruby on rail server but you're not saying what OS you need um you're not uh saying exact you might say what version of Ruby you want but you don't have to manage it if it breaks uh or it might be managed updates and things like that the last thing here is like software as a service and this is something where the CSP is responsible for everything so if you're thinking of a of a software as a service think of like Microsoft Word where uh you're just writing uh you know writing stuff in there and you know you you are responsible for where you might choose to store your data but the data is like still handled by the cloud service fider because you know it's on the cloud so on their servers right um so yeah hopefully that gives you kind of an idea across types of cloud U Computing responsibilities [Music] all right so what I want to do here is just shift the lens a bit and look at the share responsibility model if we were just uh observing a subset of cloud services such as compute and so we're going to see infrastructures of service platform as a service software as a service and now we have function as a service and so that's what I mean when we shift the lens we get new information uh and so you can just see that you really don't want to look at this uh from one perspective okay so starting at the top here we have bare metal uh and so ad's offering is called the ec2 bare metal instance and this is where you basically get the whole machine uh you can configure the entire machine with with the exception of the physical machine itself so as the customer you can install the host OS um uh the host OS so the operating system that runs on the physical machine and then you can install your own hypervisor um and then Aus is going to be responsible for the rest the physical machine now normally The Next Step Up would be dedicated but dedicated doesn't exactly give you more responsibility it gives you more Assurance because it's a single tenant uh virtual machine and that's why I kind of left it out here um but we'll see it in the next slide that it is kind of on the model and shares the same spot as uh ec2 um but ec2 is a virtual machine and so um here the customer is responsible for the guest OS so that means that you can choose what OS you want whether it is Ubuntu or Debian or Windows but that's not the actual OS that is running on the the physical machine and so you're not going to have control of that ads is going to take care of that then there's the container runtime so you know you you can install Docker on this or any kind of container layer that you want um so that's another thing that you can do so ads is going to be responsible for the hypervisor uh the physical machine and the host OS all right then looking at containers it has more than one offering for containers but we'll just look at ECS here and so um this is where you are going to uh have uh you don't you don't install the guest OS right the guest OS is already there for you what you are going to do is choose your configuration of containers you're going to uh deploy your containers you're going to determine where you need to access storage for your containers or attach storage to your containers and databus is going to be responsible for the guest OS it it the and there might not even be a guest OS but there the host OS the guest OS the hypervisor the container runtime uh and you're just responsible for your containers okay then going to the next level here we have platform as a service and so this one also is a little bit odd where it fits um because the thing is is that this could be using anything underneath it could be using containers it could be using virtual machines um and so that's where it doesn't exactly fit well on a linear graph but let's just take a look at some things here so this is where you're just uploading your code uh you have some configuration of the environment you have options of deployment strategies um the configuration of the associated services and then Abus is going to be responsible for the servers the OS the networking the storage the security so it is taking on more responsibility than infrastructures a service um uh whereas you know itus is just going to be responsible for that so if it's a virtual machine that it's being under uh under the use the is going to be responsible for this customer stuff okay you're not if it's containers then AIS is going to be responsible for this but it just depends on how that platform as a service is set up actually the way elastic beanock is set up is that you actually have access to all that infrastructure and you can fiddle with it and so in that case um whereas like if you were to use Heroku which is a a third party provider um you know they would take care of all this stuff up here um and so you would not have to worry about it but on AWS you actually are responsible for uh the underlying infrastructure because you can you can configure it you can touch it so that's where you know again these do not fit perfectly you can't look at platform as a service meaning that um you're not responsible for certain things it really comes down to the service offering okay then we're taking a look at software of service so on AWS um this is going to be something like um Amazon workdocs which is I believe a competitor uh not a very popular competitor but a competitor to Microsoft SharePoint and this is for Content collaboration so as the customer you're responsible for the contents of the document management of the files configuration of sharing access controls and the databas is responsible for the servers the OS networking the the storage the security and everything else so you know if you use a Microsoft Word Doc and you type stuff in it you say where to save it that's what you're responsible for okay the last one here on the list is our uh functions here and so ad's offer is itus Lambda and so as the customer all you're doing is you're uploading your code and itus is going to take care of the rest so deployment container runtime networking Storage security physical machine basically everything um and so you're really just left to uh develop okay so you know hopefully that gives you kind of an idea and again you know we could have thrown in a a few other services like what we could not fit on this slide here was um uh adus fargate which is a serverless container as a function or sorry serverless uh serverless container as a service or container as a service so uh you know that has its own unique properties in the model as well okay so let's just have kind of a visualization on a linear graph here so we have the customers's responsibility on the Le hand side and adus is responsibility on the right and we'll look at our broad category so we got bare metal dedicated virtual machine Mach containers and functions and so no matter uh which uh type of compute you're using you're always responsible for your code for um containers you know if uh you know like uh the functions when you're using functions there are pre-built containers so you say I want to use Ruby and there's a ruby container and you don't have to configure it but obviously um you know when you are using container service you are configuring that container you are responsible for it for um virtual machine you know you're responsible for the runtime so you can install a container runtime on there or install a bunch of different packages like Ruby and stuff like that uh the operating system you have control over in the virtual machines for the dedicated and we saw with bare metal you have both uh controls of the host OS and the guest OS and then only bare metal allows you to have control of the virtualization where you can install that hypervisor so hopefully that gives you an idea of compute and A's offering there and also kind of how there's a lot of little caveats when we're looking at the Shared responsibility model [Music] okay all right so I have one more variant of the share responsibility model and this one is actually what is used by Google so um we're going to apply to AWS and uh see how it works so let's just kind of redefine share responsibility model or just in a slightly different way so we fully understand it so the share responsibility model is a simple visualization that helps determine what the customer is responsible for and what the CSP is responsible for related to AWS and so across the top we have infrastructure as a service platform as a service software as a service but remember there's other ones out there like functions and service it's just not going to fit on here um okay so and then uh along the side here we have content access policies usage deployment web application security identity operations access and authentication network security remember that's Cloud networking security the guest OS data and content audit logging now we have the the actual traditional networking or physical networking storage and encryption and here we're probably talking about the physical storage hardened kernel IPC uh the boot the hardware and so then here we have our bars so we have the csp's responsibility and the customer responsibility so when we're looking at a SAS software as a service uh the customer is going to be responsible for the content remember like think of like a word processor you're writing the content the access policies like say I want to share this document with someone the usage like how you UTI it can you upgrade your plan things like that then next on our list here is platform as a service so generally uh you know platform is a services for developers to De develop and deploy applications and so they will generally have more than one deploy strategy and uh you know there might be some cost-saving measures to choose like uh you might have to pay additional for security uh or you it's up to you to configure in a particular way or you might have to integrate it with other services uh and you know we saw that pass is not a perfect uh definition or fit because you know when we look at elastic bean stock if you have access to those resources and you can change them underneath then you might have more responsibility there than you think that you would okay the next one here is infrastructure the service and so this is extending to Identity so who's allowed to uh you know log into your adabs account uh operations the things that they're allowed to do in the account access and authentication do they have to use MFA uh things like that networ security obviously you can configure the security of your uh Cloud infrastructure or Cloud Network um you know so you know do you isolate everything a single VPC how do you set up your security groups things like that uh we know with virtual machines you can set up the guest OS there's data and content but remember that bare metal is part of the uh infrastructure service offering and so that's where we'd see Hardware or not Hardware but you'd have the host o the host Os or virtualization and so this again is not a perfect representation uh but it generally works okay and then last and list there um or just looking at what the ads is responsible for auto logging so of course adus has cloud trail which is for uh uh logging uh API um events but Auto logging could be things that are uh internally happening with those physical servers then the networking the physical storage uh Harding the kernel ad of us has I think what's called the Nitro system where they have like a security chip that's uh installed on all their servers then it's the the boot OS uh and then the hardware itself okay so just remember the customer is responsible for the data and configuration of access controls that reside in AWS so if you can configure it or you can put data on it you're responsible for it okay the customer is responsible for the configuration of cloud services and granting access to users via permissions right so if you give uh one of your employees access to do it um you know even if it's their fault it's your fault so remember that um and again the CSP is generally responsible for the underlying infrastructure we say generally because you know there's edge cases like bare metal and coming back to adses in the cloud and of the cloud so in the cloud so if you configure it or store it then you the customer are responsible for it and of the cloud if you cannot configure it then the CSP is probably responsible for it [Music] okay hey this is Andrew Brown from exam Pro and we are looking at the share responsibility model from the perspective of architecture and if you're getting sick of share responsibility model don't worry I think this will be the last uh slide in this section but let's take a look here so uh we have uh less responsibility more responsibility at the bottom so what we have down here is traditional or virtual machine architecture so Global Workforce is most familiar with this kind of architecture and there's lots of documentation Frameworks and support so maybe this would be using elastic beanock with platform as a service or using ec2 instances alongside with Auto scaling groups uh code deploy uh load balancers things like that the next level here is microservices or containers this is where you mix and match languages better utilization of resources so maybe you're using fargate which is seress containers or elastic container service or elastic kubernetes service for containers and at the top here we have serverless or commonly with functions as a service so there are no more servers you just worry about the data or uh and the code right so literally just functions of code and so you could be using the amplify serus framework or maybe aess Lambda for creating servess architecture so there you [Music] go hey this is Andrew Brown from exam Pro and we are looking at Computing Services and before we jump into uh the entire Suite of Computing Services they us have let's just talk about ec2 for a moment which allows you to launch virtual machines so what is a virtual machine while a virtual machine or VM is an emulation of a physical computer using software server virtualization allows you to easily create copy resize or migrate your server multiple VMS can run on the same physical server so you can share the cost with other customers so imagine if your server or computer was an executable file on your computer okay so that's the kind of way you want to think about it when we launch a VM uh we call it an instance and so ec2 is highly configurable server where you can choose the Ami so the Amazon machine image that affects options such as amount of CPUs or vcpus virtual CPUs the ount of memory so Ram the amount of network bandwidth the operating system so whether it's Windows Ubuntu Amazon L 2 uh the ability to attach multiple virtual hard drives for storage so elastic Block store um and so the Amazon machine image is a predefined configuration for AVM so just remember that and so ec2 is also considered the backbone of ads because the majority of AD services are using uc2 as the underlying servers whether it's S3 RDS 10B or lambdas that is what it's using so um what I say also it's just because when we talk about the it Network that is the backbone for uh Global infrastructure uh and the networking at large and so ec2 is for the services [Music] okay hey this is Andrew Brown from exam Pro so we just looked at what ec2 is well let's look at more of the broader services for computing and these are the more uh common ones that you'll come across there's definitely more than just what we're going to see on this single slide here so we'll break this down with virtual machines containers and then serverless for for virtual machines remember that's an emulation of a physical computer using software and ec2 is the main one uh but for our VM category we have Amazon light sale this is a manage virtual server service it is the friendly version of ec2 virtual machines so when you need to launch a Linux or Windows server but you don't have much Aus knowledge you could launch a WordPress here and uh you could hook up your domain and stuff like that um so this is a very good option for beginners we have containers so virtualizing an operating system or Os to run multiple workloads on a single OS instance so containers are generally used in microservice architecture when you divide your application into smaller applications that talk to each other so here we would have ECS elastic container service this is a container orchestration service that supports Docker containers launches a cluster of servers on these two2 instances with Docker installed so when you need Dockers a service or you need to run containers we have elastic container registry ECR this is a repository of container images so in order to launch a container you need an image an image just means a save copy a repository just means a storage that has Version Control we have ECS fargate or just fargate now people are kind of forgetting that it's it runs on ECS these days that's why I have it in there it is a serverless orchestration container service is the same as ECS ex except you pay pay on demand per running container so with ECS you have to keep a ec2 server running even if you have no containers running so it manages the underlying server so you don't have to scale or upgrade the ec2 server so there's the advantage over ECS okay then we have elastic kubernetes service eks this is a fully managed kubernetes service kuber or so kubernetes commonly abbreviated to K8 is an open-source orchestration software that was created by Google is generally the standard for managing microservices so when you need to run kubernetes as a service then we have serverless category so when the underlying servers are managed by Deus you don't worry or configure servers cus Lambda is a serverless function service you can run code without provisioning or managing servers you upload small pieces of code choose much uh how much memory how how long you want the function to run is allowed to run before timing out and you are charged based on the runtime of the Serv function rounded to the nearest 100 milliseconds so there you go [Music] hey this is Andrew Brown from exam Pro and what I want to do is just show you a variety of different Computing Services on AWS so I'm going to try to launch them and uh we're not going to do anything with them just going to Simply launch them okay so the first I want to show you is ec2 and by the way we will go more in depth in ec2 later on in this course here um but what I'm going to do is go ahead and launch the instance don't worry about all this stuff but just choose the Amazon Linux 2 so it's in the free tier all right we're going to choose an instance type of a T2 m so that's part of the free tier it's going to be set as one all these options are fine I want you to go ahead and review and launch we're going to launch and I don't want to generate any key pair I'm going to proceed without a key pair I'm going to acknowledge that because I don't want it and that's all there is to launching an ec2 instance and so I can go here and view my instances and what you'll see is it's pending okay and usually it has like a little spinning icon maybe they've updated it since then so I go here it's hard to see because there's all these terminated ones but I don't need to do anything with it I just wanted to show you the actions that you'd have to do to launch it actually we'll leave it alone maybe we'll see it when it's launched the next one I want to show you is e elastic container service um and wow this this is old let's go let's get the new experience please so old okay checkbox that on and we'll hit get started and we'll say create a cluster and we have some options here networking only ec2 Linux plus networking uh for use with either ads fargate or external Windows um uh this is if you're doing fargate which we're not doing right now fargate is part of elastic container service it used it well used to be it is called ECS fargate but it us markets it as a separate service we'll go to next and say my ECS cluster um we can create an empty cluster but that would make it a fargate cluster which we don't want there's an ond demand server look it's M6 I large if you're very afraid of a lot of spend here you don't have to do this you can just watch me do it and just learn well what I'm going to do is try to find something super cheap so I want a T2 micro or a T3 micro T2 micro is part of the uh free tier I don't know if we get to choose T2 anymore in here they might not let you there it is you know T3 mro is great too I just whatever says it's free that's what I'm going to go for number of instances one the Amazon version is fine I don't care about a key pair uh use the existing VPC I don't want to have to make a new one select the existing ones okay uh let it create a new security group that's totally fine allow those to be fine create a new role that's fine create okay and so that's going to create ourselves a cluster um I'm going to just make a new tab here let's just check on our ec2 instance and so if we look at our ec2 instance it is running okay great so it has a private IP address it has a public IP address all right um there's not much we can do with it I can't even log into it because we didn't generate out a key pair times you want to name these things so I just go here and name it my server okay go back to our ECS instance and the cluster is ready so we'll go here and oh nice we got a new UI and so if we wanted to deploy something as a service or a task um we would need to create a template like a task definition file uh they don't have a new UI for this you're being redirected to the previous version console because this isn't available in the new experience yet of course it isn't so we can create a new task definition file that's what's used to run it it's basically like a Docker file composed file whatever you want um we have fargate or ec2 we are doing ECS so we're going to have to do ec2 so we'll say my ECS yes uh task def file um task roll opt optional IM roll I don't need one network mode I don't care um and then this is the idea is that because a container allows you to use up a particular amount of the um thing we don't have to use all of the memory so we should look up what a T2 micro is because I don't even remember what size it is okay T2 micro AWS so we go here we look at the instance types and we're going to flip over to T2 and it says that it's one vcpu one gigabyte of memory so what I'll do one yeah one okay that's fine so what we want and this is in megabytes so we'll say 500 megabytes and um I don't know if we can do less than one but I'm going to do one here um the task CPU must be an integer greater than or equal to 128 okay fine 128 oh I guess it's 1024 would utilize the whole thing so I could say 512 okay and this is where we would add our container so I don't do this every day so I don't remember how to do this we'll say my container um and I need a repository here so I need like dockerhub Hello World okay I don't care what it is I just need a image that's simple and I'm looking for the address here um I'm hoping that's just this dockerhub URL so it' be something like this right docker.io probably Docker IO Docker image um Docker Hub URL in ECS okay it goes to show how often I'm laun launching these things so repository URL Docker image so I think that what we're going to do here I would really just like the URL please reviews tags where is it where is it it's somewhere here right uh uhuh uh well let's just try it we'll go and we'll type in says image and tag so docker.io hello world I really need an image ID image URL hello world dockerhub they're not making my life easy here today anything I just want to see like a single example docker.io Docker iio URL examples ECS this is what it's like you know this is what you're going to be doing if you are um you know a cloud engineer you're going to be Googling a lot and just trying to find examples here so here it says docker.io the name the host name okay so we'll just try it okay so I think that the the the name here is underscore and then it's hello world and that's what's throwing me off here right docker.io just hold on here repositor URL and then there's the tag I don't know if like is the tag going to be like latest view available tags latest okay so what I'll do here and that's the thing you got to have a lot of confidence to too so hard limit soft limit um do I have to set it do I have to set any of these things can I just go to the bottom and hit add looks like I can okay so we'll scroll on down create we create our task definition file which is fine we're going to go back to our cluster it's going to bring us back to the new experience we're going to click into this cluster holy smokes uh we're going to hit deploy and and we are going to choose service that means it's going to continuously run task means that when it's done running it ends we're going to choose our family our version that's the task definition file there is not compatible with the selected compute strategy my task file what if I just choose task take that okay some maybe some you have to like code it so that it continuously runs I don't care we don't need to run a service here the selected task definition is not compatible with the selected compute strategy okay let's see why uh can you double check if you're using fargate strategy instead of the ec2 uh blog designed for the ec2 strategy so probably what it's suggesting is that the the strategy file I made is not for the right one here task definitions go back over here well what's wrong with it task roll none my container so what I'm going to do because I don't trust this just going to go ahead and delete this can I delete this how do I delete this oh boy actions deregister deregister we'll create a new one and so it has tools like it was co-pilot um CLI to make this a lot easier because you can see this is very frustrating but I chose this so my task def requires compatibility of ec2 default 512 512 add container we're going to uh was it docker.io uncore what's it called hello world latest I we'll just say hello world here and we'll just say uh 512 which is fine I don't care about any port mappings I'm just reading it carefully here to see what it wants we'll say 512 maybe because I didn't specify them it's complaining this looks fine we'll hit add okay constraints type this all looks fine so we'll try this again and so we now have our file let's see if we can just run this task from here you see2 this is just another way to do it so we just choose the cluster this is actually a lot easier to do it this is old old old Eh this is ugly and so now it launches so you know if you have trouble one way then just do it another way and uh sometimes it'll work here so I don't expect this task to really work in any particular way if it's pending that's fine if it fails that's fine if it's successful that's fine I don't care I just want to go through the motion so it was successful it it ran and then it stopped I don't know if we could see like the output anywhere probably what it would do is it would log out something like into somewhere and so I don't know if like there's logs turned on for this if I go over to like cloud watch logs maybe I could see something a lot of these services will automatically create cloudwatch logs so sometimes you can just go look at them there so we'll drop down we'll go to log groups here there is some stuff here um there's a couple that I created from before just go ahead delete those and so what I'm looking for is like ECS so no there's no logging happening here which is totally fine so that is ECS um for fargate it's pretty much uh the the same the difference is that fargate is like it has to start up and run so it's a lot slower to watch okay and now let's go take a look at a Lambda okay so this is our serverless compute so we go ahead and create ourselves a function uh we can start from a blueprint that doesn't sound too bad and I personally like Ruby so no not getting much here but we can do is look for something that do we have like a hello world there we go hello world and we'll click that we'll say my hello world uh it's going to create those permissions that's fine it's showing us the code it's very simple okay it's going to console log out these values not a very good hello world function doesn't even say hello world how can you call it a hello world function if it doesn't say hello world I don't understand so we're going to go ahead and create this function usually doesn't take this long okay so uh here is our function here is our code notice that this is cloud9ine okay and you can even move that over to Cloud9 they didn't have this button here before that's kind of cool I hit test they used to have it up here but I guess they wanted to make it more obvious so they moved it down here which is nice so what I can do is hit this oops my test it's going to send a payload here to the actual function uh and it's going to tell us if it works okay so can I run my test go over here to test they changed it a bit so I guess I created there it succeeded so I have my logs okay so it's it's going to Output those values there so there are the three values which basically is nothing maybe you were supposed to set those an environment variable but you can see you're just uploading uh some code right it's just a bit of code it's not like a full app or anything so we launched an E2 container we did a a um sorry ec2 instance a container we did a seress function there's other things like eks but that is really really hard to set up okay because uh you'd have to use like kubernetes commands and stuff like that and my kubernetes knowledge is always very poor um I'm just taking a peek here to see if they've updated it so yeah you create the cluster but like deploying it is forget it I'm just trying to think if there's anything else I kind of want to show you um no those are the main three I would say so I'm pretty happy with that um what I'm going to do is go and kill all these things so we're going to go over to Lambda okay and I'm going to go ahead and delete this as you saw ECS was the hardest and no matter how many times I've built things on ECS and I've deployed full things on ECS I can't remember I always have so much trouble with task definition files it's unbelievable we'll go over to our cluster here and ECS cluster up here make sure you're not in the fargate cluster I know I'm clicking really fast but there's just so many things to click and I'm going to click into this cluster we're going to go hit edit because this is running an ec2 instance right I need to destroy it um it just took me back to the old one here um I want to delete no I want to delete the cluster click back here where do I delete it up here here I can't checkbox anything uh how do I delete this do I have to delete the task first maybe so we'll go here I mean it's already stopped there's nothing to do edit uh huh account settings wow this is confusing okay how to delete ECS cluster got to be kidding me I have to actually look this up so open the SS console from navigation in the navigation choose clusters and the new turn off the E uh turn off new ECS experience and choose the old console the delete cluster workflow is not supported in the EC ECS console are you serious then why why do you have it like why even let people use the new experience if that you don't have all the functionality there um oh I was going to give it feedback but it didn't let me here it says uh I need to delete an ECS cluster no okay so I'm here there's my big ugly cluster delete cluster okay so yeah it it's a struggle okay like things are always changing on me but uh you just have to have confidence and if you've done it a few times you know that can do it right um and that's one of the biggest Hang-Ups to Cloud I would say so it's going to take a few minutes apparently to delete the cluster as that is going let's go over to ec2 I didn't close it I kept this tab open and uh there's our ec2 instance we can go ahead and terminate that instance terminate okay and if this says it's terminating then we're in good shape Terminator shutting down that's fine and notice here that's the ECS instance just make sure you shut down the my server not the um the ECS instance cuz that's going to stop and so this is already terminated but if we go back here notice that it says that it's not done but it clearly clearly has shut down okay so I'm going to wait here for a bit even though I know it's been deleted maybe it's deleting things like the auto scaling group so we go down below here right so that's probably what it's doing it's probably trying destroy the Autos scaling group but it doesn't show any here so it must have already destroyed it yeah so task Services delete so I'll be back here in a bit but I know it's safe it's already deleted but I'll see you back here in a bit okay so I waited literally a second and it's now deleted so we deleted our Lambda we deleted our oh did we delete our Lambda good question now I'm not really worried about the Lambda because I guess we did but I'm not really worried about it because um you know at when it rests at idle it's not costing us anything where the ECS and the ec2 are backed by ec2 instances so we do have to shut those down okay and again remember make sure you're in the correct region sometimes that gets flipped over and then you think those resources are gone but they're actually not they're just running in another region so uh there you [Music] go hey this is Andrew Brown from exam Pro and we're taking a look at higher performance Computing Services ons so before we do we got to talk about the Nitro system so this is a combination of dedicated hardware and lightweight hypervisor enabling faster Innovation and enhanced security all new ec2 instant types use the nitro system and the Nitro system is designed uh by AWS okay so this is made up of a few things we have Nitro cards these are specialized cards for vpcs EBS instant storage and uh controller cards you have Nitro security chips these are integrated into the mother board protects Hardware resources and we have the Nitro hypervisor this is the lightweight hyper visor memory and CPU allocation bare metal like performance there's also uh Nitro enclaves but you know that's a bit out of scope here but that's has to do with like ec2 isolation Okay uh then we have bare metal instances so you can launch ec2 instances that have no hypervisor so you can run workloads directly on the hardware for maximum performance and control we have the M5 the R5 um E2 instances that can run bare metal there's other ones I believe I've seen as well but um you know if you are running bare metal you can just go investigate at the time of okay we have bottle rocket this is a Linux based open source operating system that is purpose built by adus for running containers on VMS or bare metal hosts then uh let's just Define what HBC is so it's a cluster of aund of thousands of servers with fast connections between each of them with the purpose of boosting Computing capacity so when you need a supercomputer to perform computational problems too large to run on a standard computer or computers or would take too long this is where you know HBC comes into play one solution here is adus parallel cluster which is uh an ad supported open source cluster management tool that makes it easy for you to deploy and manage high performance Computing HBC clusters and AWS so hopefully that gives you an idea of this stuff [Music] okay all right so let's take a look at HPC or high performance computer Computing on AWS so HPC is for running large complex simulations and deep learning workloads in the cloud with a complete Suite of high performance Computing product Services gains Insight faster and quickly move uh from idea to Market blah blah blah blah blah it's for ML or very complex scientific Computing stuff these run at least on C5 NS okay and the way it works is that you use this um CLI called P cluster or aess parallel compute U or aess parallel cluster stuff and so let's see if we can get get this installed very easily um so what I'm going to do is see how hard it is to install now I don't recommend you running this because I don't know what it's going to cost me and if I make a misconfiguration I don't want you to have that spend here but I don't think it's that dangerous so I'm going to go back over to us East one here I'm going to open up cloudshell and I'm going to give it a moment to load and so as that is loading let's take a look at how we would go ahead and install this so install the current parallel um it was parallel I think we just copy that line okay and so we have to wait for our environment to spin up all right so once it has spun up we will install it and then we will jump over to this tutorial here okay so we'll give this a moment and after waiting a little while here it looks like our shell is ready it looks like it's in bash um I'm just going to type in S3 LS that's a sanity check okay and it works that's great so we go back over here and I'm going to go back up to install for Linux and what I need is that single command where is it so I'm certain that we already have Linux or python installed but I just want the command to install it you saw it a moment go here I'm just going to back out till I can find it uh one more there it is so it's under oh it's this link here and that's what I talk about the documentations being tricky sometimes you have to click these uh headings here to find stuff so this is the first time installing it so we'll grab that usually you're supposed to create in Virtual environments with python I don't care this is my cloud shell it doesn't matter to me so we're going to go ahead and download that and hopefully it is fast and it was super fast which was really nice and so what we'll do is go check out the P cluster version okay and that looks fine to me I'm going to go down below here to run our first job um the returns the it gives outputs I don't think we need to configure it because we already have our CLI so what I'm going to do is go ahead and create ourselves a new cluster um beginning cluster creation configuration file config not found so I guess we do have to configure this configure and it's asking what region do we want to be in um if I have us East one I would choose it for some reason it's all the way for number 13 that is not a lucky number but I'm going to choose it anyway anyway no key pair found in Us East one region please create one of the following um so create an ec2 key pairs uh no options found for ec2 key pairs that's fine so what what I'll do is go over here and we'll go over to ec2 and we will go over to key pairs key pairs key pairs key pairs we'll create ourselves a new one here so say um HPC key pair or just my HPC so we know what it is for we have putty or PM we're going to do pem because we're on Linux we'll create that and notice that it downloaded the pem down down here and we're going to need that for later um and so what I'll do is I'll type in P cluster here again configure we'll choose 13 we'll choose number one here uh allowed values for the scheduler I have no idea what these are uh let's choose the number one allowed values for the operating system Amazon L 2 I know what that is minimum cluster size one maximum cluster size two head notice instance oh T2 micro you can do that yeah let's do it I didn't know we could do that enter compute type uh T2 micro sure so I thought that we'd have to use a c5n but I guess apparently not automate VPN uh VPC creation yes of course network configuration so allow values for the network configuration uh head node in a public subnet and and compute Fleet in a private subnet uh head node and compute yeah we'll do it in the both just to make our lives easier I don't care first one sounds more secure of course and so oh it's creting Cloud information sack wow this is easy I thought this was going to be super painful okay so we'll go over here we'll go take a look at what cloud formation's doing all right now I don't care if we actually run a task on here but it was just interesting to go through the process to see how hard it was and we will go look at what resources are being created so it's creating an internet gateway so it's literally creating a isolate VPC for it which is totally fine I guess um it's creating a subnet creating a route table refresh here um I'm not sure how much it wants to create here it just looks like VPC that's all it's creating I thought maybe the ec2 instances would show up here but maybe it's going to launch that on a need B basis okay so that's all created oh now it's doing a VPC Gateway I think VPC gateways cost money let's go take a look here VPC pricing yeah there's a uh transfer fee so just be careful about that you know again you can just watch along here you don't have to do it default route depends on public so now it's creating ec2 route I don't know what an ads ec2 route is I've never seen that before sometimes what we can do is go into ec2 and then take a look on the left hand side you see anything in here we don't know what it is we just type in ec2 route cloud formation sometimes cloud formation is great for figuring out what a component is not all components are represented in the um inabus um Management console so specify route in the route table oh it's just a route okay and we'll go back here we'll refresh so that is done is the stack done created complete good we'll go back to our Cloud shell it says you can edit your configuration file or simply do Etc so now let's see if we can create the cluster I assume this would create ec2 instances so the job schedule you using is sge this is deprecated in future use parallel cluster well should have told me okay there is a new version of 301 parallel available I don't understand because I just installed it right we'll go back to cloud formation just going to probably create nested Stacks which that's what I thought it would do Nest Stacks means that it's Reliant so there's one main one and then there's uh children stack so go here see what resources it's creating oh whole bunch of stuff wow so many things at sqsq SNS uh network interface a Dynamo DB table Yeah you you probably don't want to run this you just want to watch me do it and then we go into here it's creating uh an ec2 volume so that's going to be EBS and then here we have uh a log group I don't know why they separated those out do seem very necessary we are waiting on the elastic IP that always takes forever creating elastic IP root instance profile that is the IM Ru for it that didn't take too long these these take a long time I I never know why create a rooll it's really easy but attaching an I am policy you're always waiting for those um so I'm going to just stop it here I'll be back in a second because I don't want to have to make you watch me stare at the screen here okay all right so after a really really long wait um and it always takes some time there it finally created I'm not sure what it's made I mean we generally saw over here in the outputs but usually the cost that I'm worried about is whatever it's launching under uc2 it might not even have launched any servers here we're going to take a look here see if there's anything so we have a master and a compute and they're T2 micros so seems pretty safe here um this compute is not running yet so I'm assuming that this is like the machine that does the Computing and maybe if you had multiple machines here like that would be the cluster like could manage multiple computes um I'm not particularly sure but let's just keep going through the tutorial and see what we can do the next step is we need to get this PM key in our Cloud shell here so this I don't know where this is but what I'm going to do is I'm going to move it to my desktop I'm doing this off screen by the the way so I'm moving it to my desktop and then I'm just going to go and upload the file okay and there it is so we'll say open and we'll say upload and it's going to upload it here onto this machine and I believe this is on like uh I think this used as an e EFS instance like if you're wondering where the storage for cloud shell is if we go over here I think it's EFS is it h i don't know where it is okay maybe it's just a maybe it's some else okay I can't remember where it is but anyway um so now it's created the cluster can I hit enter here okay can I create a tab like if I quit this is it going to kill it it exited it which is I think it's fine I don't think it stopped running and so now if I do an LS there's my key and so we can go back to our instructions just have too many tabs open here drag this all the way to the left here and so we can try to use our key here to log in so what I'm going to do is go here and we'll say my HPC pm and see if that works we'll say yes and permission denied it is required your private key is not accessible that's because we have to chamod it um I never remember the command anymore CU I rarely ssh in the machine but if we go to connect and we go to SSH client it'll tell us what we need to run chamad 400 okay so that's what we need to do is we need to do a chamad 400 just wanted to grab that code there okay and now if we hit up we should SSH into the machine there we are we are in the instance we'll type in exit and so now we want to run our job on this machine and if we go back over to here I guess we can go create our first job so I'm just doing this in v and I'm going to paste that in yep and I don't want the first line oh okay that's perfect great right quit oh there's no file name hold on here so I need to name this file something so I'm going to say job. sh and we're going to paste that again here we'll say paste and I don't know if that's cut off yeah it is okay great is that one okay I don't trust that the first line is there so what I'm going to do is go back to our tutorial here it's shebang forbin bash uh this then that for SL bin SL bash just double check it looks good to me we're going to quit that I'm just going to make sure that it is what it we said it is so job. sh looks correct to me good and so we'll try to run our job here so I'm going to say Q um job. sh LS and I guess it really depends on what we decided to use when we set up that thing I can't remember what we choose as our Q we do qat oh okay okay okay so I think the thing is like you see how we have sge I think that that's what we use to queue up jobs and so we have to have that installed probably so install configure surid engine SG install um Linux oh boy that looks like a lot of work so I don't think we need to to do anything further here but as far as I understand the idea is that you're choosing uh some kind of way to manage these and so I'm not sure what q q sub is let's just go look up what that is what is Q sub oh that is the sun grid engine okay so how do we install that um I'm just going to see if we can install it so I'm going to do I think this is using yum so if I do clear here clear yum install Q sub let's see if I can do it pseudo yum install qm no package available Amazon Linux 2 Q sub because that's probably what we're running in cloudshell Q sub doesn't tell us how to install it that's great so that's probably what it is and so in order to use this we would have to install that sun whatever whatever and then we go through we do Q sub it would queue it up um we could do qat cat hello destroy it that's pretty much all we really need to know to understand this um it would have been nice to queue up a job and see it work but you know we're getting kind of into a hairy territory here and I think that we fundamentally understand how this does work so what I'm going to do is I'm going to go here I'm going to remove the job Dosh here and and I want to destroy this cluster um so I'm going to do pcluster commands to figure out what all the commands are and there's probably a delete command so we'll go back up here B cluster where is our crate so we'll say delete okay and so what that's going to do is just tear down all the stuff now so if we go over to cloud formation okay and it looks like it's destroying so yeah I'll see you here uh back in a bit when it's all destroyed okay all right so after a short little wait there it has destroyed it been so long that I uh my connection vanished but just make sure if you did follow along for whatever reason uh you know make sure that the stuff is deleted and it looks like it did not destroy uh this so I'm going to go ahead and delete that that's just VPC stuff so I'm not too worried about it I know that's going to roll back no problem and so I'm going to consider this done so going to make my way back to the Management console close this stuff up and we are good to go uh for our next [Music] thing hey this is Andrew Brown from exam Pro and we're taking a look at Edge and hybrid Computing Services so what is Edge Computing when you push your Computing workloads outside of your network to run close to the destination location uh so an example would be pushing Computing to run on phones iot devices external servers not within your Cloud Network what is hyber Computing when you're able to run workloads on both your on premise Data Center and the a uh VPC okay so we have a few Services here starting with ad Outpost this is a physical rack of servers that you can put into your data center ads output allows you to use ads API and services uh such as ec2 WR in your data center then we have AIS wavelength this allows you to build and launch your applications in a telecom data center by doing this your applications will have ultra low latency since they will be pushed over the 5G Network and be closest as possible to the end user um so they've partnered with things like Verizon vone uh business and a few others but those are the two noticeable ones okay we have VMware Cloud on AWS so this allows you to manage on premise virtual machines using VMware uh within ec2 instances the data center must uh be using uh VMware for virtualization for this to work okay then we have Aus local zones which are Edge uh Data Centers located outside of the adus region so you can use adus closer to the edge destination when you need faster Computing storage databases in populated areas that are outside of AWS region you could do this there's some other Edge offerings on AWS that aren't listed here like sag maker has what's called like Neo stage maker um let you do Edge Computing with um ml but I mean this is good enough [Music] okay all right so I wanted just to show an example of edge Computing uh because we didn't cover it in our generic uh compute and so there's a variety of services that allow you to do Edge Computing like wavelength and so um I've never actually launched wavelength before and I think that uh you have to request it so if I go over to support here again I've never done this before but I'm sure we can figure it out pretty easily I feel that if we create a case um maybe it's like service limit we type in wavelength here nope not there so how do we get wavelength wavelength AB us request so that's what I'm looking for here okay how do I use wavelength AWS whoops and sometimes what I'll do is go to the doc here opt into wavelength zones before you specify wavelength zone for resource or service you must opt into it to opt in go to the AIS console okay so we'll go to ec2 and then it's going to say use the region selector in the navigation bar to select the region which supports your wavelength l so I know that there's stuff in uh Us West because of Las Vegas right or not Las Vegas but Los Angeles right so if we go over here there's definitely that over there on the navigation pain on the ec2 dashboard under account attributes select zones okay do we see zones here zones oh ec2 dashboard zones let's go check here again on the navigation pane choose ec2 dashboard we are there right and under account attributes uh settings account attributes oh over here okay oh it's here zones and so there we have two zones and we see switch regions to make uh zones a different region okay so under Zone groups turn on wavelengths Zone groups okay nothing there so I'm just going to switch over to another one here maybe Oregon maybe it's usw 2 oh look at all the stuff we have here I've never seen these before okay so here is the wavelength one so that is the Los Angeles one we can go ahead and enable this before disabling The Zone group I'm not sure what zone groups cost so wavelength Zone pricing again you might just want to watch me do this because it might cost money um and so you might not want to have to spend for that pricing uh provides mobile networks wave lengths are available across whatever learn about the data transfers in price about ec2 instances okay so what's the price we go into here all right so what I'm going to suggest to you is don't do this but I'm going to do it and we're just going to see what the experience is like okay so I'm going to update my zone so now I have this one so we'll say enable I'm going to assume that it has to do with like data transfer costs okay and uh we're going to go over to ec2 and we're going to go over to instances here here we're going to launch an instance and we're going to see if we we have that available now I don't know if we're restricted to to particular uh instances I'm assume we can launch a Linux machine it'd be really weird if we couldn't you know we'll go over to configuration and what we want to do is choose uh the zone so how do we do it so once it's turned on confirmation and confirm it configure your network so create a VPC create a carrier Gateway so you can connect your resources into the the VPC to the telecommunication Network holy smokes This is complicated but it's just kind of interesting to see like the process right you know it's not for our use case but uh carrier Gateway right and as I do this I always check up all the costs here so I say carrier Gateway pricing AWS because maybe that's where the price is okay if you don't get a pricing page then usually that's hard to say logically isolated virtual Network again it's not telling me what um to use carrier you need to opt into at least one wavelength Zone but I did right and sometimes what happens is that it just takes time for the optin to to go so go here manage the Zone settings that was a lot easier way so we have one it's we're opted in right here okay and okay we'll we'll go here again if that one didn't work um we can try so the I guess these are all the regions Denver things like that can I opt opt into this one op in it's not super exciting like all we're going to do is launch an ec2 instance but you know we'll go through the process here a bit and I don't know why I can't create one so we'll go back over to the instructions here create so you can connect so create a route table using the VPC to the route table so I think that's as far as we're going to get here because I'm not seeing any options here but the idea was that we would have to create a carrier Gateway we'd update our route tables and all we would be doing is launching an ec2 instance so you know it's no different than launching it you just choose a different subnet so I think you'd have to create a subnet for that zone and launch it in there and that would be Edge Computing another example of edge Computing would be something like via cloudfront which we have uh these um Edge functions or not Edge functions yeah functions here and so these are functions that are deployed to cloudfront so my cloudfront function and these would be deployed to um Edge locations right and all you can use here is Javascript so here's an example of one and um I'm fine with this development live this function is not published we'll go to test test the function it's good publish publish that function and so the advantage of this is that you know if you have functions that are in it was Lambda there's a chance of cold start um whereas if they're deployed on the edge here there's still probably a cold start but it's going to be a lot faster because it's a lot closer to the edge location so um you know it's just a different uh different cases but yeah there was one where we're launching ec2 workload into wavelengths which we couldn't complete which is totally fine and then we have these functions on the edge there's other uh Edge Computing Services like within Sage maker you can deploy I think it's called like Neo sag maker and then for iot devices those are obviously on the edge so you can deploy those as well uh but generally that gives you an idea of edge Computing [Music] okay hey it's Andrew Brown from exam Pro and we're looking at cost and capacity management Computing Services so before we talk about them let's define what is cost management so this is how do we save money and we have capacity management how do we meet the demand of traffic and usages through adding or upgrading servers so let's get to it the first are the different types of EC pricing models so you got spot instances reserved instances saving plans these are ways to save on Computing by paying up in full or partially or by committing to a yearly contract or multi-year contract uh or by being flexible about the availability Interruption to Computing Services we have adus batch this plans schedules and executes your batch computer workloads across the full range of adus Computing Services which can utilize spot instances to save money we have aabus compute Optimizer so suggest how to reduce cost and improve performance by using machine learning to analyze uh you uh your previous usage history we have ec2 autoc Scan groups so asgs these automatically add or remove ec2 servers to meet the current demand all of traffic they will save you money and meet capacity since you only run the amount of servers you need then we have elb so elastic load balcer so this distributes traffic to multiple instances we can reroute traffic from unhealthy instances to healthy instances and can Route traffic to ec2 instances running in different availability zones and then we have elastic beant stock here which is easy for deploying web applications without developers having to worry about setting up and understanding the underlying ad services similar to Heroku it's a platform as a service so not all of these are about cost some of them are about capacity management like elb um but yeah there you [Music] go hey this is Andrew Brown from exam Pro and we are looking at the types of storage services and no matter what cloud service provider using they're usually broken down into these three where we have blocks file and um uh object okay so let's take a look at the first so this is going to be for Block storage so for AWS this is called elastic Block store data is split into evenly split blocks directly accessed by the operating system and supports only a single right volume so imagine you have an application uh over here and that application is using a virtual machine that has a specific operating system and then it has a drive mounted to it uh could be using FC or uh scuzzy here um but the idea here is when you need a virtual Drive attached to your VM is when you're going to be using block okay the next one here is for um file or it's just basically a file system so this is Abus elastic file storage so the file is stored with data and metadata multiple connections via a network share supports multiple reads writes locks the file so over here uh we could have an application but it doesn't necessarily have to be an application and so it's using NASA exports as the means to uh communicate and so the protocols here can be NFS or SMB which are very common uh file system protocols and so the idea here is when you need a file share where multiple users or VMS need to access the same drive so this is pretty common where you might have multiple virtual machines and you just want to act as like one uh Drive uh one example that could be like let's say you're running a Minecraft server you're only allowed to have one world on a particular single drive but you want to be able to have multiple virtual machines to maximize that compute that' be a case for that um so there you go then the last one here is like object storage and so for ads this is called Amazon simple storage service or also known as S3 so object is stored with data metadata and a unique ID scales with limited uh with limited no file limit or storage limit so there's really very there's very little limit to this it's just basically scales up supports multiple reads and wrs so there are no locks and so the protocol here we're going to be using htps and API so when you just want to upload files and not have to worry about the underlying infrastructure not intended for high uh IOP so input and outputs per seconds okay so depending on how fast you have to do your read and wrs are going to determine you know whether you're going uh this direction or the other way um or you know how many need to actually connect at at the same time and whether it has to be connected as a mount drive to the virtual machine [Music] okay hey it's Andrew Brown from exam Pro and we're going to do a short introduction into S3 because on the certified Cloud practitioner they ask you a little bit more than they used to and so we need to be a bit familiar with S3 because it is um at least I think that abis considers its Flagship uh storage uh service and it really is one of the earliest Services it was the second one ever launched okay so what is object storage or object based storage so data storage architecture that manages data as objects as opposed to other storage architectures so file systems where uh these are others right so which manages data as files and a hierarchy and block storage which manages data as blocks with with ins sectors and tracks that get stored on an actual uh drive and so uh the idea here is we have S3 which provides basically unlimited storage you don't need to think about the underlying infrastructure the S3 console provides interface for you to upload and access your data okay so we have the concept of S3 objects so objects contain your data they are like files but objects may consist of a key this is the name of the object a value the data itself made up of a sequence of bytes the version ID when versioning enabled the version of the object metadata additional information attached to the object and then you have your S3 buckets so buckets hold objects buckets can also have folders which in turn hold objects S3 is a universal name space so bucket names must be unique it's like having a domain name okay and one other interesting thing is an individual object can be between zero bytes and up to 5 terabytes so you have unlimited storage but you can't have uh files of uh incredible size uh I mean 5 terab is a lot but nothing beyond that for a single file but just understand that you can actually have a zerob byte file uh and for like associate certifications that can be a an actual question so that's why it's [Music] there all right let's take a look at S3 storage classes um and so for the certified Cloud practitioner we need to know generally what these are for associate levels we need more detail than we have here but let's get through it so adus offers a range of S3 storage classes that trade retrieval time accessibility durability for for cheaper storage and so the farther down we go here the more cost effective uh it should get uh pending uh you know certain conditions okay so when you put something into S3 it's going to go into the standard uh tier the default tier here and this is uh incredibly fast it has 99.99% availability 119 durability and it's replicated across 3 azs and so uh you know we have this cheaper meter here here on the left hand side and that would apply this is very expensive and it's not actually expensive but it is expensive at scale when you can uh better optimize it with these other tiers so just understand that um then you have the S3 intelligent tiering so this uses ml to analyze objects and usage and determine the appropriate storage class it is moved to the most cost effective access tier without any performance impact or added overhead then you have S3 standard IIA which stands for infrequent access this is just as fast as S3 standard but it's cheaper if you access the files less than once a month there's going to be an additional retrieval fee applied so if you do try to retrieve data as frequently as S3 standard it's going to actually end up costing you more so you don't want to do that okay then you have S3 one zone IIA so as it says it's running in a single zone so it's as fast as S3 standard but it's going to have lowered availability but you're going to save money okay there is one caveat though your data could get destroyed because it's remaining in a single uh AZ so if that a or data centers um suffer a catastrophe you're not going to have uh a duplicate of your data to retrieve it okay um and then you have S3 Glacier so for long-term clothed storage retrieval of data can take minutes to hours but it's very very very cheap and then you have S3 Glacier uh deep archive which is the lowest cost storage class but the data retrieval is 12 hours and so you know um all of these here to here these are all going to be in the same uh ads S3 console or Amazon S3 console S3 Glacier is basically like its own service but it's part of S3 so kind of lives in this weird State there's one here that we didn't have on the list here which is S3 outputs because it has its own storage class and doesn't exactly fit well into um this kind of linear cheaper uh thing here [Music] okay hey it's Andrew Brown from exam Pro and we are taking a look at the a snow family so this is storage and compute devices used to physically move data in or out of the cloud when moving data over the Internet or Prov private connection that is too slow difficult or costly so we have snow cone snowball Edge and snow mobile and so there originally was just snowball and then they came out with snowball Edge uh and Edge introduced Edge Computing that's why there's Edge in the name uh but pretty much all of these devices have Edge Computing uh and they do individually come with some variance so with the snowball snow cone it comes in two sizes where it has 8 terabytes of usable storage and then there's one with 14 tabt of usable storage for snowball Edge technically Ally has like four versions but I'm going to break it down to two for you we have storage optimized where we have 80 terab of use um uh of usable storage there and then compute optimize 3.9.5 terabytes and even though it's not here you get a lot of vcpus and increased memory which could be very important if you need to do Edge Computing before you send that over to AWS and then last here we have snowmobile which can store up to 100 pedabytes of storage um in the Associates I cover these in a lot more detail because there's so much more about these like the security of them how they're tamperproof like how they have networking built in the the connection to them but you know for this exam that's just too much information um you just need to know that there are three uh three ones in the family and generally what the sizes are and that they're going to be all placed into Amazon S3 what's interesting is that you know snowmobile only does 100 pedabytes but adus markets it as you can move exabytes of of um content because you can order more than one of these devices so uh they'll mark it it saying like snowball Edge is when you want to move pedabytes of data and snowball Mobil is when you want to move exabytes but you can see that a single thing isn't in the exib it's just in the petabyte [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at all the itaba storage services in brief here so let's get to it so the first is simple storage service S3 this is a servess object storage service you can upload very large files and an unlimited amount of files you pay for what you store you don't worry about the UN file system or upgrading the dis size you have S3 Glacier this is a cold storage service it's designed as a lowcost storage solution for archiving and long-term backup it uses previous generation uh HDD drives to get that low cost and it's highly secure and durable we have elastic Block store EBS this is a persistent block storage service it is a virtual hard drive in the cloud and you attach to ec2 instances you can choose different kinds of hard drives so SSD iops SSD throughput HDD and um cold hhd okay we have elastic file storage so EFS it is a cloud native NFS file system service so file storage uh you can mount to multiple ec2 instances at the same time when you need to share files between multiple servers we have storage Gateway this is a hybrid cloud storage service that extends your on premise storage to the cloud we got three offerings to your file Gateway so extend your local storage to Amazon S3 volume Gateway caches your local drive to s three so you have a continuous backup of the local files in the cloud tape Gateway so stores files onto virtual tapes for backing up your files on very cost effective long-term storage we got one more page here because there's a lot of services here we have adab us snow family so these are storage devices used to physically migrate large amounts of data to the cloud and so we have snowball and snowball Edge these are briefcase size data storage devices between 50 to 80 terab I don't believe snowball is available anymore it's just snowball Edge but it's good to have all of them in here so we can see what's going on we have snowmobile this is a cargo container filled with racks of storage and compute that is transported via a semi trailer tractor truck to transfer up to 100 pedabytes of data per trailer I don't think we're going to be ordering that anytime soon cuz that's pretty darn expensive but that's cool we have snow cone this is a very small version of snowball that can transfer 8 terabytes of data we have adab us backup a fully managed backup service that makes it easy to centralize and automate the backup of data across multiple a services so ec2 EBS RDS DB EFS storage Gateway you create the backup plans we have Cloud endure disaster recovery so continuously replicates your machine in a lowcost staging area in your target abl account and preferred region enabling fast and reliable recovery in case of it data center failures we have Amazon FSX this is a feature Rich and highly performant fall system that can be used for uh windows so that would be using SMB or Linux which uses luster and so there we have the Amazon FS FSX for Windows file server so use SMB protocol and allow you to mount FSX to Windows servers and then the luster one which uses uh Linux luster file system it allows you to mount F FSX Linux servers are there any storage Services missing here not really I mean you could count elastic container repository as one but um that's kind of something else or you could also count maybe um uh code commit but you know I kind of put those in a separate category where we where those are in our develop tools or our containers [Music] okay all right so what I want to do is show you around S3 so we'll make our way up here and type in S3 and we'll let it load here and what we're going to do is create a new bucket if you do not see the screen just click on the side here go to buckets and we'll create ourselves a new bucket so bucket names are unique so let's say my bucket and we'll just pound in a bunch of numbers I'm sure you're getting used to making buckets in this um in this course so far um so if we scroll on down notice that it says block public access settings for this bucket and this is turned on uh like the blocking is turned on by default because S3 buckets are the number one thing that are a point of entry for malicious actors where people leave their buckets open so if we want to uh Grant access to this bucket for people to see this publicly we'd have to turn this off okay but for now we're going to leave that on you can version things in buckets which is pretty cool you can turn on encryption which you should turn on by default and use the Amazon S3 key on the certified Cloud preder it's going to ask you about client side encryption and server side encryption so you definitely want to know what these are I'm going to turn it off for the time being so we can kind of explore uh here by oursel here um then there's object lock so we can lock files so that um you know there you know people aren't writing to the multiple times so we'll go ahead and create a bucket and it's very quick so here is the new bucket we made and you'll notice we have nothing here which is totally fine if I go to properties um you know we can see that uh we can turn on bucket versioning turn on encryption what I'm going to do is I'm going to go grab some files I remember I saved uh some files recently here I'm just going to make a new folder called Star Trek I just have some graphics you can pull anything off the internet you want to do this yourself um but I'm just going to prepare a folder here it'll take me a moment okay just a moment okay great so now I have my folder prepared and so what I want to do is upload my first file so I can go here and upload and actually I can upload multiple files you can add a folder which is nice and so in here if I want to upload these files here whoops I'll just select multiples I'll hit open it'll cue them up which is really nice we can see the destination details here if we want to turn it uh versioning on we could there uh we could apply permissions for outside access but we have uh things turned on but what's really important is the properties where we have these different tiers and So based on the tier that you use the lower you go at least it should be the cheaper it's going to get uh but it's going to have some trade-offs and we cover that through the course then there's that server side encryption um and I'm going to hit upload we'll just individually turn it on so you're going to see this progress go across the top these have all been uploaded I'm going to cck click on my destination bucket and so what we can do is we can uh open these if they're images they'll show us right here in the browser we can download them so if we need to get them again all right we can create a folder here and just say Star Trek or Enterprise D Enterprise D here okay but it's not really easy it's not like I can drag this into there um I might be able there's no move option so you'd actually have to copy it into the destination and then delete the old one it's not like using a file system you know um there's a lot more work involved but you know it's a great storage solution um so let's look at encryption so I have this selected here if I click into it I can go to permissions I can go to versions see that I'm looking for H encryption here we go so if I turn it on I can enable encryption and I can choose whether I want to use an Amazon S3 key so SS S3 so an encryption key that Amazon S3 creates man uses for you then you have IUS SS KMS and I believe this uses AES up here which is totally fine then you have KMS down here and it's interesting because they're like ads will manage the key for you and then this one ads will manage the key for you it's just slightly different this one of course is a lot simpler there's not many reasons not to turn on encryption but U I'm going to go turn this one so that it is encrypted here and just because it's encrypted doesn't mean we can't access the file I can still download it I can still view it because ads is going going to decrypt it right so if I go and click on this one and I say open okay even though it's encrypted I can still view it right it just means that it's encrypted on the storage right so if somebody were to steal that hard drive whatever hard drive it's sitting on on ads they could even figure it out it's encrypted they're not going to be able to open up the file right so that is the logic there but through here um I can get it something that's really interesting with um um S3 is the ability to um uh have cycle events so I'm just kind of looking where that is it's usually in the bucket so if I go to management up here I can set up a life cycle rule and what I can do is say like move this to deep storage okay and then I can say what it is that I want to filter so maybe it's like data.jpg I can say apply to all objects in the bucket I acknowledge that and we say move current versions of objects between storage classes and I checkbox that on and I can say move them to Glacier after 30 days I think if I go lower it'll complain probably when I save there and so the idea is that we can move things into storage so maybe you have files coming in down below it's showing you here right so a file is uploaded and then after 30 days then move them in the glacier so we save money okay that's a big advantage of S3 there's a lot of things going on in S3 here like you can turn on um uh wherever it is you can turn on web hosting so you can turn this into like a website down below here there's a whole uh whole bunch of things that you can do okay so uh we're not going to get into that because that's just too much work but uh you know we learned the basics of S3 so what I want to do to delete this I have to empty it first watch it'll be like you cannot delete it you need to empty the bucket first so go ahead and empty it and I'll say my bucket empty or sorry I guess I have to type in permanently delete Perma net we delete no they used to oh yeah I can copy it okay great and so once the bucket is emptied I can go back to the bucket and I'll go back one layer and then I'll go ahead and delete my bucket and you can only have so many buckets I think it's like a 100 you have like 100 buckets how many buckets can you have in a WS 100 buckets yeah I was right and I think if you wanted to know how many you Pro there's probably like a service limits page service limits service quotas so you go here you say a Services S3 how many buckets 100 right there okay so you know that gives you kind of an idea what's going on there but there you go that's S3 all right so let's go take a look at elastic Block store which is uh virtual hard drives for ec2 so what I'm going to do is make my way over to the ec2 console because that is where it's at and on the Le hand side if we scroll on down you'll see elastic block volumes or elastic Block store volumes and so we can go here and the idea is we can go ahead and create ourselves a volume and what you'll notice is that we have a few different options here we have general purpose provisioned iops cold HDD throughput optimized magnetic magnetic being um basically like uh physical tape that you can use to back up like the old school stuff and so you have all these options here and you can choose the size so when you change these options you're going to notice that some things are going to change like the through uh throughput or iops so notice that general purpose is fixed at between 300 to 3,000 and notice that it goes from 1 Gigabyte to how many ever that is that's a lot there and so it's not too complicated but in practicality I don't really create volumes this way what I do is I'll just go launch an ec2 instance so I'll say launch ec2 instance and we'll choose Amazon alytic 2 and again you know if we haven't done the ec2 follow along we'll cover all this stuff in more detail don't worry about it um we go to configure instance then we go to add storage and this is what you're going to be doing when adding EBS volumes um to your ec2 instances and you'll notice we always have a root volume that's attached to the ec2 instance that we cannot remove we can change the size up here I believe the oh it shows us right here that we have up to 30 gigabytes so sometimes you might want to Max that out to take advantage of the free tier you notice we can also change uh this there might be some limitations in terms of the root volume so notice that we have a few more options here we can't have a cold HDD or HDD as our root volume uh notice we have a delete on termination so EBS volume persists independently from the running life so you can choose to automatically delete uh EBS volume when the associated instance is terminated so if you take this off if the ec2 instance is deleted the volume still remain which could be something that's important to you uh for encryption here um you might want to turn it on and so generally adus always has a KMS manage key which is free so you checkbox that on it will be encrypted uh you can turn it on later um but you can never turn encryption off but you should always uh turn the encryption on and so just be aware to turn that on you can also add file systems down below here but maybe we'll talk about that later because I think that gets into um e EFS okay so that is a different type of file storage there but that's pretty much all there is to it uh you just go ahead and create uh your volume there and then it would show up under EBS we could take snapshots of them to back them up that goes to S3 but that's all we really need to know here [Music] okay all right let's take a look at elastic file uh system or EFS uh storage manage file storage what does EFS stand for EFS system elastic file system okay sorry and so what we can do is go ahead and create a file system here so I'm going to say my EFS and the great thing is that it's basically a serverless so it's only going to be what you consume right so what you store and what you consume um and I think that's what it's going to be based on we have to choose a VPC I want to launch it in my default VPC and we have the choice of regional or one zone um I guess this is going to be based on what gets backed up to S3 possibly so one zone probably is more cost effective but I'm going to choose Regional and that's a new Option I never noticed before I just opened it up to see a few more things here we have General Max iio bursting provision things like that we'll hit next we'll choose our azs and uh then you might have to set up a policy so I'm going to hit next here you'll go ahead and hit create so you know this is really interesting but the trick to it is really mounting it to a dc2 instance and that's kind of the pain okay so if we go into this um you you have to mount it and there are commands for it so like EFS mounting Linux commands okay I've done this in my Solutions architect associate uh but you know again I'm not doing on a regular basis so I don't remember and so if we go here I'm just trying to see if we can see some code that tells us how to mount it so mounting on an E2 uh uh uc2 Linux instance with the EFS Mount helper um so I don't know if they had that before but that sounds interesting so pseudo Mount hyphen T the file system the EFS mounting Point yeah this looks a lot easier than what we had before okay so before I had to enter a bunch of weird commands but now it looks like they've boiled it down to single command but once you have your EFS instance um I'm going to assume that there is an entry point here just clicking around here seeing what we can see I would imagine we have to create an access point so my access point sure I don't know if it's going to let me just do that it did and so I would imagine that you'd probably use an access point let's go back here ifs Mount point I think that's the same thing I think the mount point and the access point you create access points and that's what you use uh we can go here we can attach it so oh yeah here's the command so um Mount via DNS or Mount via IP address so it doesn't look too hard we can try to give it a go I haven't done it in a while it looks like they've made it easier so maybe we'll try it out okay so we go to ec2 here and I'm going to launch an instance I'm going to choose Amazon L 2 okay we're going to go and choose that and then we want to choose a file system and so it's going to mount to here okay and storage is fine all this is fine and I'm going to go ahead and launch this and I need a new key pair so create a new key pair um this will be for EFS example okay we're going to download that key pair there we're going to launch this instance okay and then we're going to go view this and as that is launching what I'm going to do is open up my cloud shell and I'm going to want to upload this pen so again like before I'm going to drag it to my desktop off screen and then what I'm going to do is upload this file so I have it EFS example okay we're going to upload it because I just want to see if we can access that EFS volume and so if I do LS that's our old one one which I can delete by the way I'm never going to use that anytime soon yes LS and I'm going just delete the hello text there so it's a bit cleaner for what we're doing and so we need to chod that 400 uh EFS example and we saw that's how like if you want to try to connect to a server remotely that's what you do right so I believe that the drive is mounted if I go to storage does it show up here doesn't show up under here but um what we're waiting for are these two status checks to pass and then we can SSH into this machine and I'm just going to go back here and take a look here so using the EFS Mount helper so pseudo Mount hyphen T EFS TLS this volume to EFS and so I imagine it's going to mount it to EFS here using the NFS client so I guess it just depends on what we're going to have available to us even if the status checks haven't passed I'm going to try to get into this anyway um so what we can do is click on this grab the public IP address we'll type in SSH um ec2 hyphen user at sign paste this in hyphen I EFS example pem I usually don't log in Via SSH um but you know just for this example I will and so I want to see if this drive exists usually be under mount right there it is okay so it already mounted for us so I can do touch hello world. text say pseudo here I can say pseudo VI I'm going to open up the file and say hello from another computer okay and so I've saved that file and what I want to do now oops oh okay sorry I'm in the cloud shell here but what what I want to do now is I want to kill this machine okay and what I'm going to do is spin up another ec2 instance I'm going to see if I when I mount that if that file is there if it actually worked but wow that is so much easier than before I can't tell you how hard it was to attach an EFS volume the last time I did it um so we'll go ahead We'll add that and the storage is fine we're going to go to review here we're going to say launch and I'm just going to stick with the same key pair there we're going to give that moment to to launch and we're going to go to view instances and so now this one is launching as it's launching let's just go peek around and see what we can see so you know I imagine if we didn't add that file system during the the boot um and we were we're adding it after the fact we probably could just ran that line and added it really easily um I'm not going to bother testing that because I just don't want to go through that trouble to do that um I still can't remember what these access points are for um but uh it's okay it's that's kind of out of the scope for the certified Cloud partitioner and then so I'm just curious so we get some nice monitoring here right so that's kind of nice um I guess they're trying to suggest here like inabus backup data sync transfer so that would just be backing up simplify uh automates accelerates moving data okay that's pretty straightforward transfer family fully managed F SFTP okay so nothing exciting there and we're going to refresh that there and this is initializing so let's go see if we can connect to this one so I'm going to go ahead grab that public IP address I'm going to hit up okay I'm going to swap out that IP address and we're going to see if we can connect to that machine yet so we'll say yes and we got into it so that's great and so what I'm going to do is go again into the mount directory EFS FS1 LS and there it is I'm going to do cat hello world and so it works and so that's the cool thing about DFS is that you have a file system that you can share among other um uh ec2 instances I'm sure users could connect to it using the NFS protocol I'm not the best at like networking or storage networking so I'm not going to show that here to you today but that gives you a general idea how EFS works again you only pay for what you store it is serverless so we'll go here and type delete because I'm done with this I'll probably uh destroy the instance first so it doesn't get mixed up and just so we clean up a little bit better here I'm going to delete these Keys here uh Delete okay and we'll go ahead and delete this one as well delete I'm done with that uh we'll make sure that that is tearing down that is good and we'll make our way back over here and it says enter probably the ID's name in so we'll enter that in and we hit confirm and we'll see is it deleting I'm not confident with it I'm going to do it one more time confirm that by entering the the file systems ID so we'll put it in again is it destroying I cannot tell there we go so it's destroying we are in good shape it is gone our data is gone um but yeah that is [Music] EFS all right let's take a look at um the snow family in ads so if we type in snow up here and we click into Adis snow family this is where we can probably order ourselves a device um I might not be able to order them at least when I originally looked at this like way back in the day uh it wasn't available in Canada so I'm kind of curious to see what there is but the idea is that you're going to go here and Order and you have some options so you can import into S3 or export from S3 and then down below we have local compute storage so perform local compute storage workloads without transferring data you can order multiple devices and clusters for increased durability and storage Capac so it sounds like you're not you're not um transferring data you're just using it uh locally on to um it's like basically buying renting temporary computers which just kind of interesting I never saw that option before but we're going to choose import into a ss3 and we're just going to read through this stuff and it's not my expectation that we're going to even be able to submit a job here and you probably don't want to because it's going to cost money but I just want to show you the process so we can see what there is here so snow job assistance if you're new to snow family run a pilot of one to two devices so batch file smaller than 1 Megabyte Benchmark and optimize deploy St uh staging workstations discover and remediate environmental uh issues early files and folders name must conform to Amazon S3 prepare your Ami once the pilot is completed confirm the number of snow family devices that you can copy devices to simultaneously follow the best practices use the following resources to manage your snow devices so we have adab US Open Hub and then there's the edge client CLI so open Hub is a graphical user interface you can use to manage snow devices so that's kind of cool and then we have the CLI which I imagine is is something that's very useful to use so just close those off here and then we have other things so I can say I acknowledge I know what I'm doing which I don't really but that's okay and then here we are going to enter in our address so we say Andrew Brown and I'm not going to I'm not going to enter this in for real just whatever so it would be Toronto exam Pro um Canada oh see so there's there's the thing you can only ship it to the US and so that's as far as I can get okay um and that's the thing is like if you really want to know any of us inside or not you got to be in the US but let's pretend that we do have an address in the states what's a very famous address so what is the address of the White House okay there it is so I'm just going to copy that in because again we're not going to submit this for real I just want to see what's farther down the line here okay uh what's NW is that the state it's in Washington right is is this part of it NW Northwest is that a thing I'm from Canada so I couldn't tell you um so we'll go down here and we have Washington do we have a second address line it doesn't look like it um we have a zip code I believe this is the zip code and do we need a phone number looks like we do 416 uh 111 11111 okay we have one day or two day shipping why not just have one right and so then we can choose our type of device so we have snow cone snow cone SSD snow cone optimized I'm surprised I never took a screenshot of this earlier um compute optimize things like that so you can choose which one you want it looks like we're gonna see some different options but we'll go with snow cone my snow cone and snow cones do not ship with a power supply or ethernet cable snow cone devices are powered by 45 watt CB C uh USBC power supply I'll provide my own power supply and cable do not ship with a power supply res cable that's fine uh snow con Wireless snow con connect your wireless connection connect the buckets you want there's the bucket we created earlier Computing use compute using E2 instance is use a device as a mobile data center by loading ec2 Ami so here's an Ami that I might want to use uh ad iot green grass validated Ami not interested in Remote device management you can use Ops Hub or Etc to monitor reboot your device that's fine and so then we need to choose our security key I don't know if we have to set the service roll we'll see what happens here and uh we'll let it update that's fine and and so then I guess we just hit create job and so I don't really want to order one um so I'm not going to hit that button and also it's going to go to the White House and they're going to be like Andrew Brown why did you do that so that's not something I feel like doing today but at least that gives you an idea of that process there and I imagine that uh if you go the other way it's going to be pretty similar yeah it's just like same stuff I think uh so you it Sav that address it's not a real address and the the options are a little bit uh limited here and it's like NFS Bas S3 Bas so it's slightly different but it's basically the same process just curious we'll take a look at the last one there since there are three options just curious okay Sim similar thing okay so yeah that's pretty much all I want you to know about um the snow family and that's about it [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at what is a database so a database is a data store that stores semi-structured and structured data and just to emphasize a bit more a database stores more complex data stores because it requires using formal design and modeling techniques so databases can generally be categorized as either being relational so structured data that strongly represents tabular data so we're talking about tables rows and columns so there's a concept of row oriented or column oriented and then we have non relational databases so these are semi-structured that may or may not distinctly resemble tabular data so here is a very uh simple example the idea is that you might use some kind of language like SQL put in your database and you'll get back out tables for relational databases let's just talk about some of the functionality that these databases have so they can be uh using a special specialized language to uh query so retrieve data so in this case SQL specialized modeling strategies to optimize retrieval for different use cases uh more fine tune control over the transformation of the data into useful data structures or reports and normally a database infers uh someone is using using a a relational row oriented data store so um you know just understand that when people say database that's usually what they're talking about like postgress MySQL relational row store is usually the default but obviously there's a lot more broader terms there [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at what is a data Warehouse so it's a relational data store designed for analytical workloads which is generally column oriented data store okay so companies will have terabytes and millions of rows of data and they'll need a fast way to be able to produce analytics reports so data warehouses generally perform aggregation so aggregation is the idea of grouping data together so find a total or an average uh and data warehouses are optimized around columns since they need to quickly aggregate column data and so here is kind of a diagram of um a data warehouse and so the idea is that it could be ingesting data uh from a regular database here I'm just getting out my pen tool so it could be a regular database or it be coming from a different data source that isn't compatible in terms of the schema and you use like ETL or elt uh or ETL to get that data into that data warehouse so data warehouses are generally designed uh to be hot so hot means that they can return queries very fast even though they have vast amounts of data data warehouses are in free quently access meaning they aren't intended for real-time reporting but maybe once or twice a day uh or once a week to generate business and uh user reports of course it's going to vary based on the um the service that is offering the data warehouse a data warehouse needs to consume data from a relational database on a regular basis and again it can consume it from other places but you'll have to transform it to get it in there [Music] okay hey this is Andrew Brown from exam Pro and we're taking a look at a key value store so a key Value store or database is a type of non-relational database or nosql that uses a simple key Value method to store data and so key value stores are dumb and fast uh but they generally lack features like relationships indexes aggregation of course there are going to be providers out there have managed solutions that might uh po fill some of those uh issues there but I want to show you the underlying way that key value stores work to kind to kind of distinguish them between document stores so a key value stores literally a unique key alongside a value and the reason I'm representing that as zeros and ones is because I want you to understand that that's what it is it's basically just some kind of of data there and how the key value uh store interprets it is going to determine what it is so when you look at a document database that is just a key value store that uh uh interprets the value as being documents right and so key value stores can and do commonly store um uh multiple uh like associate array that's pretty common so even for Dynamo DB that's how it does it and so that's why when you look at a key Value Store it looks like it uh a a table but it's not actually a table it's schema list because underneath it's really just um you know that associative array and so that's why you can have uh columns or sorry rows that have uh different amounts of columns okay so due to the design they are able to scale very well beyond a relational database and they can kind of work like a relational database without all the bells and whistles so hopefully you know that makes sense [Music] okay all right let's take a look at document stores so a document store is a nosql database that stores documents as its primary data structure and a document could be an XML uh type of uh structure but it also could be something like Json or Json like document stores are sub classes of key value stores uh and the components of of a document store are very uh comparable to relational databases so just kind of an example here where in a relational database they'd be called tables now you have collections they were called rows now they're called documents you had columns they had Fields they may have indexes and then joins might be called embedding and linking so you can translate that knowledge over uh you know they they're not as um they don't have the same kind of feature set as a relational database but you have better scalability and honestly document stores are just key value stories with some additional features built on top of it [Music] okay hey it's Andie Brown from exam Pro and we're going to take a look at the nosql database services that are available on AWS so we have Dynamo DB which is a serverless no skill key value and document database it is designed to scale to billions of records with guaranteed consistent data returned in at least a second you do not have to worry about managing shards and Dynamo DB is 's Flagship database service meaning whenever we think of a database service that just scales is cost effective and very fast we should think of Dynamo DB and in 2019 Amazon the online shopping retail uh shut down their last Oracle database and completed their migration to Dynamo DB so they had 7,500 Oracle databases with 75 pedabytes of data and with Dynamo DB they reduced that cost by 60% and reduce the latency by 40% so that's kind of to be like a testimonial between relational and a no escol database so when we want a massively scalable database that is what we want Dynamo db4 and I really just want to put that there because it if you remember that you're going to always be able to pass uh or get those questions right on the exam okay then we have document DB so this is a Noll document database that is mongod DB compatible uh so mongodb is very popular noo among developers there were open source licensing issues around using open source mongodb so ad got around it by just building their own mongodb database basically so when you want a mongod DB like database you're going to be using document DB we have Amazon key spaces this is a fully managed Apachi Cassandra database so Cassandra is an open source no esql key value database similar to Dynamo DB that is column or store database but has some additional functionality so when you want to use apachi Cassandra you're using Amazon keyspaces [Music] hey this is Andrew Brown from exam Pro and we are taking a look at relational database Services starting with relational database service RDS and this is a relational database service that supports multiple SQL engines so relational is synomous with SQL and online transactional processing oltp and relational databases are the most commonly used type of database among tech companies and startups just because they're so easy to use I use them I love them um RDS supports the following SQL engines we first have MySQL so this is the most popular open source SQ database uh and it was purchased and is now owned by Oracle uh and there's an interesting story there because when Oracle purchased it they weren't supposed to have it um Mario DB was or sorry myell was sold to Oracle Sun systems and then within the year um uh Oracle purchased it from them and the original creators never wanted it to go to Oracle um just because of their uh the way they do licensing and things like that and so um the original creators came back and they decided to Fork my and then maintain it as Mario DB just so that uh you know oracle never kind of pushed away the most popular database so that everyone had to go to a paid solution then you have postest so psql as it's commonly known is the most popular open source SQL database among developers this is the one I like to use because it has so many Rich features over my school uh but but it does come with added complexity then Oracle has its own SQL proprietary database which is well used by Enterprise companies but you have to buy a license to use it then you have Microsoft SQL so Microsoft's proprietary SQL database and with this one you have to buy a license to use it uh then you have Aurora so this is a fully managed database uh and there's a lot more to uh going on here with Aurora so we'll talk about it it almost acts as a separate service but it is powered by RDS so Aurora is a fully managed database of either myql so five times faster or postgress SQL three times faster database so when you want a high available durable and scalable and secure relational database for post custom isqu you want to use Aurora uh then you have Aurora serverless so this is a serverless ond demand version of Aurora so when you want the most of the benefits of Aurora but you can trade uh off to have cold starts or you don't have lots of traffic or demand uh this is a way you can use Aurora in a serverless way then you have RDS on VMware so this allows you to deploy RDS supported engines to on premise data centers uh the data center must be using VMware for Server virtualization so when you want databases managed by RDS on your own database Center uh and yeah I realize that this is a small spelling mistake should say just on here but yeah there you [Music] go hey this is Andrew Brown from exam Pro and we're looking at the other database services that abos has because there's just a few loose ones here so let's talk about red shift so it is a petabyte siiz data warehouse and data warehouses uh are for online analytical process procing oap and data warehouses can be expensive because they are keeping data hot meaning that they can run a very complex query and a large amount of data and get that data back very fast so when you need to quickly generate analytics or reports from a large amount of data you're going to be using red shift then you have elastic cache so this is a managed database of an inmemory and caching open source databases such as reddis or memcache so when you need to improve the performance of an application by adding a caching layer in front of your web servers or database you're going to be using elastic cash then you have Neptune this is a managed graph database the data is represented as interconnected nodes I believe that it uses Gremlin as the way to interface with it which is no surprise because that's what it looks like most class providers are using so when you need to understand the connections between data so mapping fraud Rings or social media relationships uh very relational database heavy information you're going to want to use Neptune we have Amazon time streams it's a fully managed time series database so think of devices that send lots of data that are time-sensitive such as iot devices so when you need to measure how things change over time we have Amazon Quantum Ledger database this is a fully managed uh Ledger database that provides transparent immutable cryptographically variable transaction logs so when you need to record a history of financial activities that can be trusted and the last one here is database migration service DMS it's not a database per se but it's a migration service so you can uh migrate from on premise database to adabs from two databases in different or same adabs accounts using different SQL engines and from an SQL to a nosql database and I'm pretty sure we cover this in a bit uh greater detail in this course [Music] okay all right let's go take a look at Dynamo DB uh which is ad's nosql database so we'll go over to Dynamo DB and what we'll do is create ourselves a new table to say my Dynamo DB table and you always have to choose a partition key you don't necessarily have to have a sort key but it could be something like um like you want it to be really unique so it could be like email and this one could be uh created at right and so we have string binary notice that the the types are very simple then for settings we have default settings or customized settings so the default is use provision capacity mode rewrite five rules Etc custom no secondary indexes use KMS so I'm going to just expand that to see what I'm looking at we have two options here on demand uh so simplify billing by paying the actual reads and rights you use or provisioned which is this is where you get a guarantee of performance so if you want to be able to do you know whatever it is a thousand I don't know what it goes up to but like a thousand read writs per second then that's what you're paying for okay you're paying for being a having a guarantee of that um of that capacity okay I'm not going to create any secondary indexes but that's just like another way to uh look at data notice down below that we have a cost of $2.9 uh then we have encryption at rest so you can do owned by Amazon Dynamo DB that's pretty much the same as like adab us has or S3 has ssse S3 there you could use uh C actually I guess both of these are probably KMS I would imagine we'll go ahead and create the table here and that's going to create the table this is usually really really fast we'll go here and what we can do is insert some data so as it's just starting up here we can go over to our tables they recently changed its UI so that's why I look a bit confused U view items up here okay and then from here we can create an item so I can add something say so Andrew exampro doco and 2021 uh well we'll just do the future so we'll say 20 25 055 I don't want to have to think too hard here but we can add additional information so I can say like uh today true we could say um make like a list uh you know food and then I could go here here and then add a string it is not working oh there we go there we are so we could say like um banana and then we could say pizza right we can go ahead and create that item and so now that item is in our database uh we can do a scan that will return all items we can query we can actually have uh some limitations of what we're choosing there's the party Q editor so we can use SQL to select it um I have not used this before party Q um AWS or party Q Dynamo DB examples I'm hoping I can just find like an example of some of the language getting started here I don't need to I don't need an explanation I just show me an example query here and I will I'll get to it here okay so here's some examples right so maybe we can give this a go uh um so we have our table here so my Dynamo DB table and I just want the email back we don't need a wear we'll run this see if it works there we go I'm not sure if we could select additional data there so I know that we had some other things like uh food there it is okay so that's really nice um addition to it dynb can stream things into a Dynamo DB stream to go to Kinesis and do a lot of fun things so there all sorts of things you can do with Dynamo DB but um I'm pretty much done with this so I'm going to go ahead and delete this table and notice that it also creat some cloudwatch alarm so we want to delete this as well create a backup no we do not care go ahead and delete that and that is Dynamo DB [Music] okay so now I want to show you uh RDS or relational database service so go to the top here type in RDS and we'll make our way over there and so RDS is great because it allows us to launch relational databases um sometimes the UI is slow I'm not sure why it's taking so long to load today but every day is a bit different and so what we're going to do is go ahead and create a new database uh you're going to notice that we're going to have the op between creating a standard or easy I stick with standard just because I don't like how easy hides a lot of stuff from us even here like it says two cents per hour but it's not giving us the full cost so I really don't trust it because if you go down here and you chose their Dev test here look it's like $100 it's not showing the the the cost preview right now maybe because we didn't choose the database type sorry I wanted to chose postgress but before we do that let's look at the engine types we have Amazon Aurora so we have between myell and post postgress MySQL Marb postgress Oracle Microsoft SQL no for Microsoft SQL it comes with a license you don't have to do anything with that it might change based on the addition here uh nope comes with a license for all them which is great uh if you want to bring your own license that's where you need a dedicated host right running uh Microsoft SQL for Oracle uh you have to bring your own license that's going to be based on um importing with the Aus license manager over go over to postest which is what I like to use uh we're going to set it to Dev test to try to get the cheapest cost scroll down look $118 we can get it cheaper we get super cheap so here the password is going to be testing one two three capital on the T so and an exclanation mark on the end okay because it has a bunch of requirements of what it wants here I want a T2 micro so I'm just going to scroll down here what is going on here standard oh look M classes I don't want an m class class I want a burstable class that's the cheap ones and so we go here can we still do a T2 micro or is it now T3 so I don't see T2 so I imagine a T3 micro must be the new it free tier so we go it fre tier here right and if I go to databases um RDS on the t2 micro 750 hours but I can't select it so I'm going to assume that the T3 micro must be the new tier if it's not there right unless it's saying include previous generations and then maybe I can see it then okay so I don't see it there I really don't like how they've changed this on me okay so the oldest I can choose is a T3 micro which is fine I just I just know T2 being the free tier that's all uh this is fine we don't want Auto scaling turned on for our example here we do not want a multi-az so do not create a standby that's going to really jump up our cost we don't need Public Access it will create a VPC that is fine password authentication is fine we have to go in here which I don't know why they just don't keep that expanded because you always have to come in here name your database so my database we choose your postest version here I'm going to turn backups off uh because if we don't if we don't it's going to take forever to launch this thing encryption is turned on you can turn it off but generally it's not recommended we can have performance insights turned on I'm going to turn the retention oh we'll leave it to seven days because we can't turn that off we don't need enhanced monitoring so I'm just going to turn that off and uh that's fine we're not going to enable delete protection here and so we are good we can now go ahead and create our dat database and what we'll do here is wait for that database to be created so the thing is is like if we're doing the solutions architect or the developer social stuff I'd actually show you how to connect to the database um it's not that hard to do like you just have to connect uh grab all the database information so it's going to have an endpoint a port stuff like that and you use something like table Plus or something to connect to the database but that's out of scope of the certified Cloud partitioner I'm just going through the motions to show you that you can create an RDS database very easily but not how to connect to it and actually utilize it okay and so that would spin up and we would have a server and after that we can just go ahead and delete the server here so to say delete me okay and that's all there really is to it there is the special type of um database like Aurora doesn't have its own like console page it's part of RDS so if you want to spend up Aurora you just choose the compatibility you want you can choose between provisioned or serverless um and serverless is supposed to be really good for um scaling to zero cost so that's something there so you fill that all out but the initial cost is a lot more expensive you can't choose a T2 micro here um unless it lets you now it is for provision it's uh oh T2 T3 medium is the smallest you can go Okay so if you reach to the point where using a a medium-sized database then you might consider moving over to Aurora just because it's going to be highly scalable Etc like that um so that's a consideration there there's also something called Babble fish um that it was announced last year when I when I shot this um or when I'm shooting this as of now and the idea was to make it compatible with MyQ SQL Server to migrate over to Aurora post SQL which is kind of interesting um but that's about it so if our database is destroying I think it is just going to go back over over here to RDS it's taking a long time to load today and uh I think it's already deleted maybe we go to databases here it's deleting so I'm confident it's going to delete so there we [Music] go all right let's take a look at Red shift so red shift is a data warehouse and it's generally really expensive so it's not something that you're going to want to launch uh day to-day here but let's see how far we can get with it um just by running through it so what we'll do is go ahead and create a cluster and again you can just watch me do this you don't have to create uh you don't have to create one yourself uh so free trial configure for learning that sounds good to me uh is free for limited time if your organization has never created a cluster why rarely ever create these so when the trial ends delete your cluster to avoid the charges of on demand okay that sounds fair um so here we're going to have two vpcu it's going to launch a d a DC to large so let's look that up for pricing show me prices please please please um I think it's loading right here okay so I don't know how much it is but I know it is not cheap and down below we have sample data is loaded into your red shift cluster that sounds good to me ticket is the sample data okay ticket sample data red shift I just imagine they probably have like a tutorial for it here they do right here and so because I want to know what we need to do to query it right if we can even query it via the interface here so the admin user is adus user um and the password is going to be capital T testing 123 4 5 6 exclamation and we'll hit create cluster oh cool we can query the data right in here so that's what I wasn't sure about whether we would be able to just query it in line because before you'd have to use Java with j jdbc or an odbc driver and download the jar and it's not as fun as it sounds of course but it looks like we can query data once the data is loaded so that looks really good I guess we can pull data in from um the marketplace so that's looks pretty nice too and I guess we could probably integr into other things like quick site because you probably want to adjust your data over there again I usually don't spend a lot of time in red shift um but it looks like it's a lot easier to use I'm very impressed with this so I don't know how long it takes to uh launch a red shift cluster I mean it is 160 gigabytes uh of of of storage there it's uh even at the smallest it's pretty large so what I'm going to do is to stop the video and I'll be back when this is done okay okay so after a short little wait here um it was lot lot faster than I was expecting but uh it's available and so looks like here it says to query the sample data use red shift version two so I'm going to click that and I'm sure there's tons of buttons to get here and it'd be great if it just populated the query for me um it doesn't but this looks really nice really nice UI I wonder if it has like some existing queries no that's okay so what I'm going to do here is I'm going to go ahead and pull out this query and see if we can get this to work here never found out what those prices were though okay and what we'll do is hit run I like how there's like a limit of 100 but here it has that so we'll go ahead and hit run and see what data we get so relation sales does not exist okay so what's going on here um we'll go up here so most of the examples in the red shift documentation uses uh a sample database call ticket this sample uh this small database consists of seven tables you can load the ticket data set by following the this here okay so to load the sample data from Amazon S3 okay so I would have thought it already had the data in there I could have swore it would have Dev public tables zero tables okay so I don't think there's any data in here and so we're going to have to load it ourselves I really thought it would have added it for us uh let's go ahead and create these tables and see if this is as easy as we think so run that create that table cool okay we got it down here we'll run that we just run each at a time I think there's seven of them so date already exists okay that's fine event already exists saying all these tables exist maybe I just wasn't patient okay um interesting all right so maybe we'll go back and uh run that query maybe we just had to wait a little while for that data to load run okay so you know what I think it was doing this for us like if if the if it did not create it for us we would have to go through all these steps which is fine because we're learning a little bit about um uh red shift but um uh looks like we just had to wait there so it looks like you would run those you download that you use the copy command to bring it over there um it looks like you can do all of this via the uh this interface here and we've done a query so that's kind of cool um I imagine you probably could like save it or export it what if we chart it what happens okay you can chart it that's kind of fun can we export it out to oh just we can save it I thought maybe it could export out to Quick site but I I suppose you'd rebuild it in quick site a but yeah I guess that's it right there so that's pretty darn simple so so what I'm going to do is make my way back over to Red shift because we are done for this example and we will go over to clusters here and I'm going to go ahead and delete my cluster delete create file snapshot nope delete delete the cluster there we go so I'm pretty sure that will succeed no problem there and we are done with red shift and red shift is super expensive so just make sure that thing deletes [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look here at Cloud native networking Services um and so I have this architectural diagram I created which has a lot of networking components uh when people create networking diagrams for adws they don't always include all these things here even though they're there so we're just being a little bit verbo so you can see okay the first thing is our VPC our virtual private Cloud this is a logically isolated section of the adus cloud where you can launch adus resources that's where your uh resources are going to reside not all services uh require you to select a VPC um because they're managed by AWS but I wouldn't be surprised if under the hood they are in their own VPC Okay then if you want uh the internet to reach your services you're going to need an internet gateway um then you need to figure out a way to Route things to your various subnets and that's where route tables uh come in then we need to Def Define a region that it's going to be which is a geographical location on your network then you have your availability zones which are basically your data centers where your a resources are going to reside then you have subnets which is a logical partition of an IP network into multiple smaller Network segments um and these pretty much map to your uh availability zones if you're making one per a and then we have knackles these act as a firewall at the subnet level then we we have security groups that act as a firewall at the instance level so hopefully that gives you a good overview [Music] okay all right so now let's take a look at Enterprise or hybrid networking so we have our on premise uh environment or your private cloud and then we have our ads account or our public Cloud so there's a couple Services here that we can Bridge them together the first is ADS virtual private Network VPN it's a secure connection between on premise remote offices and mobile employees then you have direct connect this is a dedicated gigabit connection from on premise data center to ads so it's a very fast connection a lot of times the direct connect we say it's a a private connection but that doesn't necessarily mean secure it's not encrypting uh the data in transit so very commonly these services are used together not just singular okay um and then uh we have private links and so this is where you already uh are using ads but you want to keep it all within ads never going out to the internet okay so these are generally called VPC interface endpoints and then the marketing Pages call them private links which is a bit confusing but you know it just keeps traffic within the aabus network so it does not transverse out to the internet [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at vpcs and subnets so a VPC is a logically isolated section of the adus network where you launch your adus resources and you choose a range of ips using a cider range so a cider range is an IP address followed by this uh net mask or sub submask and that's going to determine how many IP addresses there are um and there's a bunch of math behind that which we're not going to get into um but anyway so here is an architectural diagram just showing a VPC with a couple subnets so subnets is a logical partition of an IP network into multiple uh smaller Network segments and so you're essentially breaking up your IP ranges for vpcs into smaller networks so just thinking about cutting up a pie okay so subnets need to have a smaller cider range uh to uh the vpcs represent for their portion so uh 4/24 is actually smaller which is interesting the the higher the number gets the smaller it gets and so this would allocate 256 IP addresses and so that's well smaller than 16 okay we have the concept of a public subnet so this is one that can reach the internet and a private subnet the one that cannot reach the internet and um these are not uh strictly enforced by AWS so the idea is that when you have a subnet you can just say don't by default assign publicly assignable IP addresses but it's totally possible to launch an ec2 instance into your private subnet and then turn on um uh the IP address so you got to do other things to ensure that they stay private or public [Music] okay hey it's Andrew Brown from exam Pro and we are comparing security groups versus knackles so I have this nice architectural diagram that has both knackles and security groups in them and we'll just kind of talk about these two so knackles stand for network access control lists and they act as a virtual firewall at the subnet level and so here you can create an allow uh and deny rules and this is really useful if you want to block a specific IP address known for abuse and and I'm going to just kind of um compare that against security groups because that's going to be a very important difference okay so security security groups act as a firewall at the instance level and they implicitly deny all traffic so you create only allow rules so you can allow an ec2 instance to access port on uh Port 22 for SSH but you cannot block a single IP address and the reason I say that is because in order for you to block a single IP address in Security Group you would literally have to block or you literally have to allow everything but that IP address and that's just not feasible okay so if you can remember that one particular example you'll always be able to remember the difference between these two one other thing that um any of us likes to do is is ask which which ones are stateless which ones are stateful but at the uh Cloud partitioner level they're not going to be asking you that [Music] okay all right let's learn a bit about U networking with AWS so what I want you to do is go to the top and type in VPC which stands for virtual private cloud and what we'll do is set up our own VPC it's not so important that you remember all the little bit of details but you get through this so that you can remember the major components so what I'll do is create a new VPC I'm going to call this my VPC uh tutorial and here I'm going to say 10.0.0.0 sl16 the reason you're wondering why I'm doing that if we go to xyxy Z here um this tells you the size of it so I go here and I put 16 so you can see we have a lot of room if we do 24 it takes up it it it's smaller see so this is basically the size of it right the empty blocks over here so we're going to have a lot of room so we do 10 00 16 we don't need IPv6 we're going to go ahead and create that and once we have that we can go ahead and create a subnet which we will need so we're going to choose our VPC we'll go down here and say my Subnet tutorial and we'll choose the first a z you can leave it blank and it'll choose it random and then we need to choose a block that is smaller than the current one so 16 would be definitely um uh well 16 is the size that we have now so we can match that size but 10.0.0.0 sl24 would be absolutely small okay so we go ahead and create that subnet and so that is all set up now um let's see if our route table is hooked up so our route table says where it links to and it says to local so it's not going anywhere and that's because we need to attach a u internet gateway that allows us to reach the internet so if we go over here and create a new internet gateway we'll say my igw and we'll go ahead and create that and what we'll do is associate that with our VPC we created here okay and so now that we have the internet gateway attached we want that subnet to make its way out to the Internet so if we go to the route table we can edit the uh route table Association here I like how it keeps on showing me this as if I don't know what I'm doing um but I do and so this would change that particular Association but I want to add to that route table so I thought when I click that it would allow me to add more but apparently I got to go to Route tables over here and I'm looking for the one that is ours we can see that it's over here we could even name it if we wanted to like my rote table notice then we apply uh uh uh names it's actually just applying a tag see over here it's always what that is so we'll go over to routes and we want to edit the routes and we want to add a route and we want this to go to and we're going to choose the internet gateway okay we're going to say save changes and what that's going to allow us to do is to reach the internet um and so what I want to do is go back to subnet I was just curious about this I've never used this before um so looks like we can just choose some options here I'm not too concerned about that but I assume like that's used for debugging azers had those kind of services for a long time and so it has been starting to add those so you can easily debug your network which is nice so we have a subnet the subnet uh can reach the internet because there's a there's um uh an internet gateway and it's hooked up via the route table one thing that matters is will it assign a public IP address um so that is something that we might want to look into it's not the default subnet which is totally fine so it says Auto assign is no so that might be something that you might want to change so here we go to edit the r table Association no it's not there they changed it on me used to be part of the uh setup instructions us to just checkbox it now they moved it modify the auto assign so we'll say enable so that means it's always going to give it a public IP address on launch and while we're here I'm just going to double check if I have any elastic IPS I did not release okay just double checking here and so this is all set up and we should be able to launch a um ec2 now within our our new VPC so I'll go over here to ec2 okay and I'm going to launch a new instance say Amazon El 2 we're going to choose this tier Here and Now what we should be able to do is Select that and that is our subnet there okay go ahead and launch that I don't care if we use a key whatsoever so I'm going to go ahead and launch that there okay we'll go back and so there you go it is launching so we created our VPC and we launched uh in it no problem whatsoever so hopefully that is pretty darn clear um so yeah uh what I'm going to do is I'm going to let that launch because I want to show you security groups So within AWS you can set security groups and knackles and that's going to allow or deny access based on stuff and when we launched this ECU instance it has a default security group that was assigned we could have created a new one but what I might want to do is create myself a new Security Group here okay and you can end up with a lot really fast like here's a bunch and I can't even tell what's what so like there's Bunch for load balancers and things like that and so I might just go ahead and delete a bunch of these because I cannot tell what is going on here and um we'll delete these security groups and sometimes they won't let you delete them because they're associated with something like a network interface or something all right but um we need to find out which one we're using right now so the one that we are using is the launch wizard 4 so we'll go into here and I don't know if you can rename them after they've been created I don't think so which is kind of frustrating because if you want to rename it it's like I don't want that to be the name so what's interesting is you can go here and you can edit the routes uh the rules sorry the inbound rules and the outbound rules and so here it's open on Port 22 so that allows us to ssh in we could drop this down and choose different things so if we want people to access a website we go Port 80 and we say from anywhere ipv 46 so now anyone can access it um you might want to do something like give it access to postgress that runs on Port 5432 things like that um could be something else like maybe you need to connect to Red shift that's on that Port you can go ahead and save those rules we're just going to say uh from anywhere you can even say my IP so maybe only I'm allowed to connect to it right so you added inbound rules you don't really ever have to touch outbound rules it's set for all traffic so it's stuff that's leaving uh the that there one interesting thing to note about uh security groups is that you don't have a deny option right so let's say you only wanted a particular IP address you only wanted um let's say what's my IP my IP address so that is my IP address and let's say I wanted to block it right so I go here and I say okay I want to block on all TCP I want to block this number right but I can't do that all I can say is I allow this number so in order to do it I would have to enter everything but this number in here and you can enter ranges in with like these forward slashes and stuff like that but you would imagine that'd be really hard because you have to start and go like you'd have to start and go through every single IP address in the world to get it out of here and that's almost impossible and that's the key thing I want to remember about security groups um so that's security groups and there's also knackles knackles um they're associated with subnet so they probably show up under VPC I rarely touch knackles rarely ever have to um I mean they're great tools but you know for me I I just don't ever need them so knackles are associated with subnets so we can go here and try to see my Subnet tutorial so we created our subnet we got a knle for free and we can set inbound and outbound rules and so here here is where we could say Okay I want to add a new rule and I want to and I want to make the rule number 150 you always do these in hundreds okay or the power of 10 so that you can move them around easily and I can say all traffic that comes from this IP address I'm going to put the for/ Z that just means a single IP address and I say deny right and so now uh this my address I can't access that ec2 instance okay if I try to go there's nothing running on the server but if I was to try to use it I wouldn't be able to do it and and this applies to anything for that subnet it's not for a particular instance it's for anything in that subnet so hopefully that is is pretty clear there um but that's pretty much all you really need to know I mean there's lots of other stuff like Network firewalls all these other things it gets pretty complicated um it's well beyond what we need to learn here but uh what we'll do is tear down that ec2 instance okay we'll terminate that and once that instance is destroyed we can get rid of our security group and a bunch of other stuff and there's always a bunch of these darn things so we'll say delete One Security Group Associated so we go here this is the one we are using but I want to get rid of all these other ones okay if I go here it could be because like of inbound rules so see this one because you can reference another Security Group within a security group so I'm just going to go save that there say any my IP there whoops it's set to n uh NFS so that might have been set up for our access point or I could just delete it that' probably be easier okay so that's one that's kind of of a pain so I'm just looking for rules that might be referencing other security groups to get rid of them okay let's try this again we'll go ahead and delete I'm leaving the um I'm leaving the uh the defaults alone because those come with your vpcs and you don't want to get rid of those so it won't let me delete this one so I'm going to go edit that rule delete it save it you might not have this kind of clean up to do it's just might be me here you know um outbound inbound let's try this again here delete and I'll open this one up must be this one that is referencing the other one I'm just going to delete the rule and this is something that's just kind of frustrating with AWS but it's just how it is where sometimes it's hard to get rid of resources because you have to click through stuff so it's not always a clean you might have like lingering resources and this isn't going to cost us anything but it's just the fact that um that it just makes things harder to see what you're doing you know this last one really doesn't want to go away so I'm just trying to delete all the rules out of here get rid of it can I delete this one now one group associate it will not show me what it's talking about okay here it is um okay this is referencing it I think it was the one there was an old one I don't know what this is we'll go down here and we'll go here and delete that and while I've been cleaning all these up now we can go over to our inst instance make sure that it's terminated it is good because if our instance is not terminated we cannot destroy the VPC uh prior the VPC could not be destroyed unless you detach the internet gateway I wonder if it's going to still complain about that we'll say yes it actually looks like it includes it in the cleanup typ delete here there we go so we're all good we're all cleaned up there you [Music] are hey this is angre Brown from exam Pro and in this video I just want to show you cloudfront so let's make our way over to cloudfront cloudfront is a Content delivery Network and it's used to cash your data all over the place as you can see I have some older ones here if you have a splash screen what you can do is just look for the left hand side there might be a hamburger menu open that up and then click on distributions and what we're going to do is create a new distribution if you don't want to create one because these do take forever to create um you can just kind of watch along I don't even feel like I'm going to hit the um the create distribution button because I just hate waiting for so long but the idea is that you have to choose an origin and so the origin could be something like an S3 bucket load balancer media store this is where um the the content distribution network is going to Source its content right so if I say this bucket here um and I just it probably default to the root path the idea is that it's going to be able to pull content from there and then cach it everywhere and then down below you can say okay set the type of protocol redirect to here you can set up uh caching rules or like how often do you want it to uh cash like cash a lot don't cash a lot the great thing is like you have these Edge or these um l Edge function so you can uh read and modify the request and response to the CDN which is very powerful but what I'm going to do is I'm just going to go look at what we already have because again I said they take forever to spin up and we're not going to see too much if we do so once it's spun up um this is what it looks like so you'll have an origin it says where it's poting to you can create multiple Origins group them uh you can modify your behavior so that was basically what we were looking at before as you can see we have our Behavior there nothing super exciting we can set up error Pages you can restrict based on geographical locations so if you're for whatever reason if you if you're not allowed to serve content in UK you could say exclude this geographical region right so you have an allow list or a block list saying like Okay we can't do UK because like let's say you just don't want to do um let say England you don't want to do um uh gdpr for whatever reason you could block out I don't know why I'm having a hard time here Britain England it's England right United Kingdom there we go so you just say okay forget United Kingdom I don't have to do gdpr now uh for invalidations the idea is that you know it is a cache so things can get stale or just persist and so here you can just type in say I want to get rid of image.jpg and then you create that invalidation and then it will go delete it out of the cache and so the next time someone requests they'll get the the fresh content this usually doesn't take that long but that's pretty much cloudfront in a nutshell okay [Music] hey this is Andrew Brown from exam Pro and we are taking a look at ec2 also known as elastic compute cloud and so this is a highly uh configurable virtual server or it's also known as a virtual machine and that's what we're going to generally refer to it uh ec2 is resizable compute capacity it takes minutes to launch new instances and anything and everything on adabas uses ec2 instances underneath that's why we generally call it the backbone to all the adab services and uh you're going to just have to choose a few options here so the first thing you'll need to do is choose your OS via your Amazon machine image so that's where you get red hat Ubuntu Windows Amazon Linux Seuss it might also come with pre-installed libraries and things like that then you're going to choose your instance type that's going to determine things like your vcpus your memory so here you can see how many there are and you'll have like a monthly cost and that's the name of the instance type then you have to add storage so very commonly you're attaching elastic block storage or elastic files system system or service uh and so you know if you do choose your EBS uh you are going to have to determine what type it is so whether it's a solid state drive a hard disk drive a virtual Magnetic Tape or even attaching multiple volumes not just a single one and the last thing is configuring your instance so this is configuring the security groups the key pairs user data IM roles placement groups all sorts of things so we will experience in that because we will show you how to launch it an ec2 instance and it'll make a lot of sense if it does not make sense right now okay [Music] all right let's take a look here at ec2 instance fames so what are instance families well instance families are different combinations of CPU memory storage and networking capacity and instance families allow you to choose the appropriate combination of capacity to meet your application's unique requirements different instance families are different because of the varying Hardware used to give them their unique properties and we do talk about this thing about uh capacity reservation where adus can actually run out of a particular type of instance family because they just don't have enough Hardware in that data center and so you have to reserve it but let's go through the different types of instance families the first is general purpose and these are the names of the different families uh very popular ones is the t2 um the t2 and one that's really interesting is the Mac which actually allows you to run um a a Mac server so these are great balance of compute memory and network resources so you're going to be using these most of the time the use cases here would be web servers code repositories things like that then you have compute optimize so um they all start with C uh no surprise there they're ideal for compute bound applications that benefit from high performance processor their edge cases here are scientific modeling dedicated gaming servers ad server engines things like that then you have memory optimized um and so there's a variety here these are fast performance for workloads that process large data sets in memory um they're great for in-memory caches inmemory databases real time big data analytics then you have accelerated optimize so this is your P2 P3 P4 things like that these are Hardware accelerators or co-processors these are great for machine learning computational Finance seismic analysis speech recognition if you're doing um uh ML on AWS you you'll start coming across these types AWS technically has a separate page on sagemaker ML machines but they're all pulling from these instance families okay then you have storage optimize so I3 i3n things like that these are highly High sequential read and write access to very large data sets on local storage the use cases here would be no SQL in memory or transactional databases data warehousing for the certified Cloud practitioner you just need to generally know these five categories not the names of the instance families if you're doing um Associates or above you definitely want to know these things in a bit more detail and I want to say that commonly instance families are called instance types but an instance type is a combination of size and family but even aws's do mentation doesn't make this family distinction clear but I know this because you know in Azure they make that very clear and and gcp and so I'm bringing that language over here to just kind of normalize it for you [Music] okay let's take a look at what ec2 instance types are so an instance type is a particular instance size and instance family and a common pattern for instance sizes you'll see is things like Nano micro small uh medium large xlarge 2x large 4X large 8X large and you know generally they're to the power of twos but sometimes it'll be like 12 14 16 or it's even uh and so when you go to launcher ec2 instance you're going to have to choose that instance type and so here you can see you know here is our T2 micro and then we have um the small the medium the large the x large okay but there are exceptions to this pattern for sizes so you know there is one particular one called uh Dot metal and so that's going to indicate that this is a bare metal machine and then sometimes you get these Oddball ones like 9x large so you know the rule of power of two or even numbers is not always the case uh but generally it'll be pretty even for you know the start here okay uh just talking about instance sizes so the easy to instance sizes generally double in price and attribute so uh just bringing up these numbers a little bit closer starting at the small here you're going to notice one two doesn't maybe double there but four and here we see 12 2 4 uh almost doubles there almost doubles there but I want to show you that the price is generally almost double so 16 33 67 135 and so a lot of times like you always have the option to say okay do I want to go to the next instance size up or have uh an additional instance of the same size and sometimes it's a better approach to get an additional instance because then you can distribute it across another a uh but then you also meet additional capacity so there you go [Music] so we talked about dedicated instances and hosts a little bit but let's just make that distinction very clear so dedicated hosts are single tenant ec2 instances designed to let you bring your own license so Bol based on machine characteristics and so we'll compare the dedicated instance to the dedicated host across isolation billing uh physical characteristics visibility Affinity between a host and instance targeted instance placement automatic instance placement and add Capac using allocation request so for isolation for dedicated instance you're going to get instance isolation so you can have the same customer on the same physical machine but there is virtualization there for them and there's a guarantee of that um for a dedicated host you have physical server isolation so you get the whole server for billing uh on a dedicated instance it's per instance billing and it's going to have an additional fee of $2 per region and for dedicated host it's per host billing so it's a lot more expensive but you get the whole machine uh for visibility of physical characteristics you're not going to get any of that information for a dedicated instance for dedicated host you are such as sockets core host host ID and this is really important when you have a bring your own license and they're saying this license is for x amount of corers or x amount of sockets then we have Affinity so there's no affinity for dedicated instance for dedicated hosts you'll have consistency with deoy to the same instance to the same physical server uh there's no control of Target instance placement for dedicated instance you do have control on a dedicated host for auto automatic instance placements you have it for both and to add capacity using allocation requests it's a no for dedicated instance and it's a yes for dedicated host so I want to come back to the main point that's what's highlighted here is that on a dedicated host you have visibility of sockets core host ID and this is really really important when you're bringing your own licens byol such as um you know Microsoft SQL servers where you have to specify the menac cores and things like that [Music] okay so we've been talking about uh tendency and I just wanted to make it very clear uh the difference between the different levels of tendency on AWS so we have three okay so we got dedicated host so your server lives here and you have control of the physical attribute so basically the whole server okay uh then we have dedicated instances so your server is on the same uh a physical machine as other customers but the actual slot that you have the dedicated instance will always be the same uh and then we have uh the default so your instance will live somewhere on the server uh and when you reboot it it's going to be somewhere else so there's no guarantee that it's going to be in the same place every single time [Music] okay hey this is Andrew Brown from exam Pro and in this follow along we're going to be looking at ec2 and also um services that are adjacent to it so like Auto scaling groups load balancers elastic IPS things like that so we fully understand ec2 um you don't have to know tons for the exam but you should be able to go through the motions of this with me so that you can cement that knowledge um for some of those deeper Concepts like working with key Pairs and things like that so let's make our way over to the ec2 console and learn what we can learn um and generally when you go to the ec2 console it'll bring you to the dashboard for whatever reason it didn't bring me there and then the idea here is that on left hand side we can make our way over to instances okay and this is where we can launch our first instance so if we go here and launch our instance the first thing we're going to be presented with is to choose our am or Amazon machine image and so that is a template that contains the software configuration so the operating system applications and other binaries that would be installed on that OS by default all right and so we have a variety that we can choose from in the quick starts and generally the ones that you're going to see first are the ones that ad support so there are uh um Amis or operating systems that ads will support when you contact them and then there's ones that are outside that where uh they'll still help you with but they might not have the knowledge on so just understand that if you pick from these core ones you're going to be in good shape uh the most popular is the Amazon Linux 2 because it's part of the free tier and it is is very minimal and well hardened by AWS so it's a very good choice there but you can see you can install a bunch of things so like if you want to launch a Mac OS server you can absolutely do that a red hat uh Suzie Ubuntu a Windows Server you name it they have it um if you wanted something more farther out there you can go to the marketplace and uh subscribe to one that is managed by company basically everything exists Under the Sun here or you could get a community Ami so these are ones that are contributed by the community for free but we're going to go back to quick start here and what I want you to notice is that there is this Ami ID that's how we can uniquely identify what we are using IF if we were to change region even with the same Amazon L 2 instance this thing will change so just understand that it is regional based and it comes in a 64bit variant and a arm variant and so we're going to be using the x86 here you can notice here you can change it on the right hand side we're going to stick with x86 I'm going to go ahead and hit next so now we're going to choose our instance type and so this is going to decide um uh greatly how much we're going to be spending because the larger it is the more we're going to spend so see this T2 micro if we wandered into the pricing for that we go to ec2 pricing AWS and once we get to ec2 pricing we want to go to on demand and from here this will load and so down below we can kind of go find our price it should show us it should show us the list ah here it is okay so I can say a T2 micro and we can see the On Demand is this so it seems really cheap what you got to do is do the math so so if you do time 7:30 that's how many hours there are in a month if we launch a T2 micro and let's say we didn't have the free tier we you do if you first made your account you're going to have 700 750 hours for free with the free tier but if you didn't it would only cost you $8 and and 46 USD okay so just be aware of that if you ever need to figure something out go there copy it do the math 7:30 it's pretty easy so here we have a T2 micro and the t2 family it's going to have one V VC CPU notice that it has a V for virtual so there could be more than a single CPU on the underlying Hardware but we're only going to have access to one virtual CPU we have one gigabyte of memory it's for low to moderate Network performance so that's a factor that can change if you need like uh uh gigabit stuff like really fast connections for on Prem hybrid connections and you have specialized servers for that but for this this is fine the TT micro is great uh if you want you can also search uh this way to see all the instance families and things like that you can filter for current Generations all generations so this is fine okay so from there we're going to go to configure our instance type you can say let's launch multiples of these instances let's turn on spot to uh save money and try to bid for a particular price we can change our VPC it's going to default to the default VPC um if you have no subnets just going to pick one at random here which is fine um whether to Auto assign a public IP address if you do not have an IP address you cannot reach the internet so generally you want this to be enabled this is dependent on the subnet whether it will default to enabled but doesn't matter if you have an ec2 instance in a private or public subnet you can always override this and give it a public IP address you have placement groups which allows you to play servers together closely not something for the certified Cloud partitioner there's capacity reservations so if you're worried about any us running out of this you can reserve capacity so that's kind of interesting domain join directory this isn't something that I've done much with but I imagine that has something to do with um a direct active directory or something like that to join information then you need to uh have an IM roll and we absolutely do need an IM roll here so what I want you to do is create a new Ro just going to close off these other tabs here and we will go wait a moment create a new role here and we want to do this for ec2 so we say ec2 is what we're creating the rule for we'll hit next and um I don't know if I have a policy but I'm going to go ahead and um well I don't need to make a new policy but I just want SSM and the reason I want SSM is so that I can um uh use sessions manager to log in so we don't have to use key pairs we will use key pairs but if we didn't want to use it that's what we could do and this used to be the old Ro and'll tell you hey go use this new one here so I just want to make sure I know which one it is and so we'll just checkbox that on we'll hit next we can add tags right here it' be uh well actually we don't need to add any tags here so that's fine we'll hit next and then I'll just say uh my SSM ec2 roll okay and we'll create that rooll and now that we have created that Ro we can go back to our first tab here and give this a refresh and then drop down and it should show up here if we go down here a little bit we could turn on extra monitoring there is monitoring built in but if you wanted to uh monitor it to a lower uh like it more frequently you could do that as well we want share tendency right this is where you change the dedicated instance or dedicated host obviously these class more but we're going to stick with shared elastic inference so this is for um uh attaching a a fractional GPU great for ML not something that we want there's credit specification I don't remember seeing this before selecting unlimited for credit specification allows for to burst beyond the Baseline so it's for bursting here you can attach an uh EFS uh so if you need a file system that you want to mount or attach um then there's the Enclave option so Nitro Enclave enables you to create is compute environments to further protect your uh and securely processed highly sensitive data so it might be something you might want to checkbox on um based on your use case and then down below our we have our ability to enter our user data and this is something we want to do because we want to install aachi so that we have something to work with here so what I'm going to do is make a shebang so that is a pound and an exclamation mark I know that's really small so I'll try to bump up my font here so you can see what I'm doing and we're going to do a forward SL bin and a for bash on the next line here we're going to do yum install hyphen y httpd um that's going to install Apachi and why it's not called Apache I don't know why but they call it httpd there's no Apachi in the name there and so we'll say system CTL start httpd system CTL enable httpd so we're saying start up Apachi and then make sure that it stays running if we restart our machine very simple so from there we will go to our our storage we'll say add our storage and this is at 8 gbes by default we could uh uh turn that up to 30 if we like so you can go all the way up to 30 if you like um and you might want to do that but I'm going to leave it at 8 we could change our volume type I'm fine with gp2 because it's very cost effective and if we want to turn on encryption and you should always turn on encryption there's no reason not to and so we'll turn that on it's not like it's going to cost you more it's going to be the same clost it's just your choice there if do want to add a tag yes we're going to add a name and we're going to say my ec2 instance okay and so that's going to give us a name which is something we would really like to have then we have a security group I'm going to just create a new security group called my um ec2 SG here and just say my ec2 SG something you cannot do is rename a security group once you've made it so make sure you don't make a spelling mistake up here and we want to be uh accessing that httt HTT or it's going to launch a website so in order to do that we need to make sure we have HTTP as a type with the port ad open and we want it from anywhere so we'll say anywhere and that will be 0.0.0.0 for size0 and that's for the ipv4 this is for the IPv6 okay so we'll just say internet and this is for SSH right and for this um I would probably suggest to say my IP but since we might be using a cloud shell to do that we're going to leave it as anywhere so that we don't have any issues connecting so from here we'll r and launch and you can review what it is that's going on here it's going to say here hey you have an open port that's okay we we want the internet to see our website because that's the whole point there and we'll go ahead and launch it it's going to ask for a key pair we can go down and say proceed without key pair but what I'm going to do is I'm going to create a new key pair because I want to show you how those work and I'm sure we've already done in this course once but we'll do it again and so I'm going to just name this as my ec2 instance here and then we're going to go download that key pair it's going to download a pem file there and so now we can go ahead and launch that instance and while that is launching so I'm going to just close this other tab here we're going to click on The View instances and so here is that instance that's how we put the tag so we could have a name there we're going to wait for that to start but as that's going I'm going to make a new tab by just right clicking here on the logo click anywhere pretty much to do that and uh once we do that we'll click on cloud shell and as that is going what I want to do is take this pen down below I'm going to move it to my desktop to make it easier for me to upload I'm doing this off screen okay and uh once this environment is running I'm going to go ahead and upload that okay so we'll just give it a moment to do that we're also waiting for the server to spin up as you'll notice there is a public IP address here it says it's running so if we want we can copy it we're looking for those two checks to pass so the server could be available but generally you want to wait for those two system checks because one says Hey the hardware is fine the Network's fine things like that okay but if I take that IP address paste it on it up here we have the web page so that is working uh no problem there so that's great and we'll go over to Cloud shell and that is still starting uh it's not the fastest but that's just how it is and um you know we'll get going here in a second as soon as this decides to load there we go so it's loaded I can type clear here just to clear that screen out and so what I want to do is upload that PM file so I'm going to go and upload that file we're going to go ahead and select it I'm going to go to my desktop here whoops my desktop and we are going to choose my ec2 instance pem all right and from there we'll hit upload and that's going to upload that pem file once that is uploaded we're going to do LS okay and so uh this is from a previous tutorial so I'm going to go ahead and just delete that other one there we'll say remove EFS example pem yes okay we'll type clear and then what we can do here is Type in chamod and um I believe it's 400 and what do we call this my ec2 instance PM if you hit tab it will autocomplete which is nice and if you do lsen la we can take a look at that file and see it should look like this should have only one R here here so the idea is you're locking it down so it's not writable or executable it's just readable because that's what you have to have it if you want to SSH and so if we want to ssh what we'll do is hit the connect button here and we have four options they just give you too many options it's going to be a fifth one for sure soon but right now we're talking about SSH so for SSH um we had to chamod our file which we did and then we need to use this DNS to connect to it and so this is the full line here if you click on this copy that over and paste it in that should be everything and notice we're doing ec2 user followed by this you could put the IP address in here instead if you preferred so if you were over here you could go and take that IP address which is I think shorter nicer but um you know if you just click that one button it works that's fine you always have to accept the uh the fingerprint then you'll be inside the instance you can type who I to see which user you are you're the ec2 user that's the user that ads creates for their Amazon Linux instances um it's going to vary per um Ami so not all Amis have an ec2 user it might be something else but that's generally the ones that a US uses for their supported ones and so if we do um an LS again we're in the server right now we can tell because it says right here or we do a PWD we can kind of just kind of look around so I think it's going to be at VAR ww that's where HT httpd or Apache always uh puts their files here so if I go in here whoops I'm just looking looking for um the index file so I thought the index file was in cdar WW HTML well where the heck is it so I'm G to just touch a file here and see if it overrides it oh I don't care I'll just type Pudo and what we can do is just try to restart this system CTL um there's a very similar command that's like uh service and so I always forget the order of it so I think it'd be I'm just checking um probably uh restart httpd and so failed to restart the policy was not provided as the name service um Service uh maybe pseudo there we go and so if we go back here I'm going to see if it changed because it will take whatever is in the index HTML file so if there's no file there it's going to uh show that there and so what I can do is I can edit this file I'm going to type VI index HTML and um I'm going to hit I for insert mode oh says it's readon so what we have to do Q uh colon Q quit oops uh clear LS and so what we need to do is do pseudo VI index HTML and so Vim every single key is a hotkey okay um and I'm not teaching Vim here but I'm going to teach you the basics but the idea is that when you're here notice that the cursor is blinking when I hit I it enters insert mode now I can type normally so I'd say hello uh hello Cloud okay and I'm going to hit escape to go back to um navigation mode whatever you want to call it I'm going to hit colon so it brings up the command I'm going to type in uh write and quit Okay and hit enter and so I'll type clear and so whoops clear and so we'll hit up till we get that command pseudo system CTL restart hbd we'll hit that hit enter okay and it should restart pretty fast there it is it says hello Cloud I probably didn't even have to restart it to do that but anyway so now that instance uh you can see how we're updating that so what I want to do is just do a sanity check and make sure that if we restart this instance that we're going to be able to um have a poy running that's something you should always do if you have an app and you or anything and you install it restart your server make sure that everything works so what I'm going to do is uh just hit exit here so we go back to the top level cloud shell type clear I'm going to go back over to my ec2 instance might have to click around to find it here and what I want to do is reboot it okay and if I reboot the machine the IP address is going to stay the same okay so if I reboot it the IP address is going to to stay the same and the reboot is going to happen really fast if we want to observe that reboot we could go over to um here on the right hand side go to the system log and it would show us that it it had rebooted I think so yeah it does cloud in knit there I think it rebooted not sure um but anyway if it's rebooted then we can go ahead and connect and make sure everything's fine so let's just go here and hit enter and let's see if the what the web page is here notice that it's hanging right so it's probably because it's still restarting even though it doesn't look like it is and that's something that you have to understand about the cloud is that you have to think about what you're doing and have confidence that it is happening and also just double check it but uh that's something that can be kind of frustrating because these are globally available Services uh uh they're massively scalable and so one of the trade-offs is that you don't always have the most uh responsive uh uis ads has one of the most responsive uis out of all the major providers but even still like sometimes I have to second guess myself but the page uh right now is not working now it is so it's fine so it just took time for that to reboot and so um what I want to do is connect a different way so we're going to go here and we're going to hit um we're going to checkbox that on we're going to hit connect and instead of using SSH client we're just going to go to sessions manager and hit connect and this is the preferred way of connecting because you don't have to have this this SSH key and that's a lot more secure because if someone has that key and you you know you hand it to someone they could hand it to somebody else and then you have a big problem on your hands so here this looks very similar but if you type who am I it actually logs in as the SSM user which is kind of annoying so I type in sudo Su I have to do this hyphen here and then I'm going to say the user I want to be which is E2 user and then if I type who am I we are the correct user you can't do anything in that SSM hyphen user or or SSM user so you got to switch that over and I can bump this up to make it a bit larger so this is obviously not as nice as working over here or even in your own terminal but it's a lot more secure and it's tracked and all these other things so we really should be using it okay and um I really don't like having to bump this up with my HTML I'm going just go back to zero there there's probably like a way to configure that but anyway uh let's just go and take a look at our file I'm going to type VI again and we're going to do VAR www HTML index HTML I'm going to put pseudo in front of there and again remember you have to hit I to go into insert mode and uh what I'm going to do is just take capitalize that hello Cloud give that exclamation mark colon WQ to quit WR quit going to go back here refresh okay so we don't have to restart our server which is nice all right so um that's that that's pretty clear so I'll hit terminate here and I don't think we need Cloud shell for anything so I'm just going to close that and so that's pretty much it when it when it comes to working with an an ec2 instance and so the next thing I want to show you is elastic IP [Music] okay okay so now I want to show you elastic IP uh commonly abbreviated to EIP and so all that is it's just a um a static IP and IP that does not change because this ec2 instance here notice that it's 54 163 4104 and what would happen if we were to stop this instance not reboot it but stop it because for whatever reason we had to or or um for whatever reason and if we were to stop this instance and we were to restart it okay uh and we have to wait for it to stop but that IP address is going to change okay so 54 1634 104 hopefully we can observe that I'm just going to write that down so we do not forget so I can prove to you that it does change and now that it it's still stopping here so as that's stopping we're just going to go ahead and get our elastic IP and I will'll prove that as we go here so I'm going to go over to here and so what I want to do is Reserve or allocate an elastic IP address and so I'm going to say us east1 and it's going to say from the Amazon Pool of ipv4 addresses so ads has a bunch of IP addresses they're holding on to and so you can just allocate one and once you've allocated that's your IP address so coming back to here okay this is stopped notice there is no public IP address we're going to start it again okay and then we'll just checkbox it on and we just have to wait a little while to see what the IP address is going to be I'm going to tell you it's going to be something else so if I go back here this is 54235 12 110 and our original one was 54 163 4 104 so the the reason why it's important to have the same address is that if uh you have a load balancer well not a load balancer but if you have a domain pointing to your uh your server and you reboot then the rout you have a dang a dangling um path or route where uh Revenue 3 was going to be pointing to nothing and so Aus does have things to mitigate that like aliases and things like that but um in general you know there's cases where you just have to have a static IP address and so we had allocated one over here and if we want to assign it we're going to associate that elastic IP address we're going to drop it down choose the cc2 instance um I suppose the private IP as well and then we're going to go ahead and hit allocate or associate and once it's Associated it should now have 34 199 121 116 so we go over here and we're going to take a look here and that's its IP address we can pull it up okay and that's that so yeah that's the lastic [Music] IP okay so now that we um have our lastic IP we have our ec2 instance running let's say um you know we lose the server we terminate it so we would lose all of our configuration so if we wanted to bake this Ami to save it for later what we'd have to do is go and create an image so to do that we go to the top here and we go to images and templates and we can create an image or we can create a a a template which is a lot better but for the time being we're going just go ahead and create an image and when you create an image you're basically creating an Ami and so here I'm just going to say uh my ec2 and I'm going to go 0 to just kind of like number it so that's a very common numbering just do three zeros and then increment by one and so here I can just say my Apachi server and so it's going to save some settings like the fact that there is a a volume you could uh save some tags there and so I might go ahead and add a tag and you'll say name and we'll just say my ec2 server or so that it remembers that okay and then what we'll do is go ahead and create our image and so this can take a little bit of time if we go over to uh images here it's going to be spinning for a while and uh we'll just wait until it's done okay all right so after waiting a little while here our Ami is ready so we're just waiting for it to go available if you do not see it just make sure you hit the refresh um because sometimes ads will just been forever um and so that's just something you'll have to do so you know hopefully that makes sense what we'll do is is go make our way back over to instances here and we can launch one this way well actually we can do it over from um the Ami page so what I'm going to do is just terminate this instance we're all done with it okay and we'll hit terminate it's totally fine and it had a message about elastic IPS about releasing them so when it does that the elastic IP is still over here so it did not release it so what we're going to do is go ahead and disassociate the elastic IP okay and then we're also going to release the IP address because if we don't we're going to have this IP address that's sticking around that we're not using it this is going to charge us a dollar month over month so just be aware of those because that's just kind of like a hidden cost there but what we're going to do is go over to Ami and we're going to select it here we're going to go to actions we're going to go ahead and launch and what it's going to do is make us fill out all this other stuff again so if you had made a launch template uh we wouldn't have to fill out all this stuff it'd be part of it but that's what I'm trying to show you with this Ami stuff so um instead of filling out all this what I'm going to do is now go create a launch template just to kind of show you that that would be a much easier way to work so we go over to E2 instances and then left- hand side we're looking for a launch template launch launch configurations is the old thing um launch templates here we go so what we'll do is create ourselves a launch template we'll just say my apachi server and then down below we need to choose our Ami so we're going to go here and we need to type it in so what would we call it my ec2 I really don't like this uh search here it's very slow and frustrating but once we find it whoops that's why I don't like it because a lot of times it'll be loading and you'll end up clicking the wrong thing okay so I don't like this okay we'll type in my give it a second there it is just wait because it will keep loading and then once it's loaded hit enter and so it has that instance selected and then from there uh don't include in the launch template so here we could be explicit I would say I want this to be two T2 micro but we could exclude it if we wanted to we could specify the key pair here um not that we really want to use key pairs we'll say my ec2 instance then down down here for the networking we can specify uh that security group we created so we created one here called my ec2 SG um storage is fine it's going to be encrypted network interface is fine Advanced details what I want to do is set the IM instance profile that's really important because we don't want to have to figure out that roll every single time so we'll put that there and that should be everything and we could put user data in there but it's already baked into our Ami so we don't have to worry about anything so what I'm going to do here is go ahead and create this launch template and then we're going to view this launch template temp plate and so now what we can do is then use it to launch an instance okay and so we're going to look here and it's very similar to dc2 except it's vertical so we're going to have one instance it's going to use that Ami that instance type so you can see how you can override them which is nice we're going to check the advanced details make sure that I am profile is set and we'll go ahead and launch this from a template so from there we can go ahead and click the instance value there and just be aware that when you do click through links like that you'll end up with the search so I was just checkbox that off so I can see what I'm doing and so we're just waiting for this instance to show up and the only thing I noticed is it didn't said are darn tags so I wanted the name in there and I think it's because we said it in the Ami but it didn't carry over to the launch template so I'd have to go back to the launch template and update it probably so if I go into here into the launch template um we can probably modify create a new version and then add tags there we say name uh my uh Apachi server I realize I'm changing it between them and so that should allow us to have a version two so we'll create that and but anyway that will be for the next time we launch it okay and so this instance is running I'm going to go grab the IP address the server may or may not be ready we'll take a look here and so it's just spinning if it's spinning it's either the server is not ready or um um our ports not open so it was just getting ready to work there so it is working now so that is our launch template so now you know we don't have to worry about losing our stuff and if we need to make new versions We can just bake new Amis and increment them at uh Inc and attach them as new versions of that launch template [Music] okay all right so what I want to show you in this follow along is to set up an auto scaling group for our ec2 instance and the idea behind this is that um we'll be able to always ensure that a single server is running or uh increase the capacity if the demand requires it so in order to create an Autos scaling group we can go all the way down below to here um and so you know I really don't like the Autos scaling group form but it's okay we'll work our way through it so the first thing is we'll have to create our or name our Autos scaling group so we'll just say my ASG and then we'll have to select a launch template which is great because we already have one and then we'll have to select the version I'm going to select version version two so that it applies that tag name and we'll go to next and so here um it's going to need to select a VPC and then we need some subnets so we're going to choose three just because to have high availability you have to be running in at least three different availability zones so that's why we have three different subnets and then down below we have the instance type requirements so uh T2 micro launch template looks good to me so we'll go ahead and hit next and then from here we can choose to do a load balancer and so I want to do the load balancer separate so we won't do it as of yet but very often if you're going to have an H group you're going to usually have a load balancer but we'll talk about that when we get to that point there so we'll just go to the bottom here and hit next and so this is what's important so how many do you want to be always running and so we always want to have one and maybe the maximum capacity is two and you want the desired cast capacity be to be around a particular number so if you had three and you said the desired is two um there are things that could try to work to always make sure there's two but we just want to have one for this example we can set up uh scaling policy so I do Target tracking scaling policy and so here we could do it based on a bunch of different things so if the CPU utilization when were 50% it would launch another server so that might be something we might want to set so I'll we're not going to uh try to trigger the scaling policy but we might as well just apply because it's not too hard then you can also do a scaling uh scale in protection policy so if you want to make sure it does not um uh reduce the amount of servers that's something you could do we can add a notification to say hey there's a scaling policy happening here which is fine we don't have to worry about that um and there's tags so add tags to help you search filter Etc um so I'm going to put a tag here I'm going to say name I'm just wondering if this is going to attach to the ec2 in or this is for the auto scaling group you can optionally choose to add tags to instances by specifying tags in your launch templates so we already did that so I don't need to put a tag here and so we can review our um Auto scaling group and go ahead and create that auto scaling group okay and so that auto scaling group expects there to be a single instance so what it's going to do is it's going to start launching an instance and so what I'm going to do is just get rid of this old server because we don't need it anymore this old one here okay and you can already see okay that the load balancer is launching this new one here and remember we updated our version two to have that name so that's how we know that it is so if we go back over to our autoscaling group okay it's now saying there's an instance we don't have a status as of yet and so there are ways of doing a status checks to for to determine whether or not the server is working um because if the server is unhealthy what it would do is it would actually kill it and then start up a new one right so if I go down below it's right now doing an ec2 health check and the ec2 health check just means that is the server working right um is it running it doesn't necessarily mean like hey can I load this web app um but you know it's very simple so we'll give it a moment here to start up and just make sure that it's working okay and I think it's ready so if I take that public IP address here and paste it in there it is okay so if we were to tell it to increase the capacity to three then what it would do is it would launch three and then it should probably launch it all evenly to those other it should evenly launch it to all those other uh availability zones and then we'll have something that is highly available okay so that's pretty much it for this and then we'll move on to Auto scaling [Music] groups all right so we have our uh ec2 instance now managed by an Autos scaling group and the great thing is that if we terminate this instance this Autos SC group will launch another uh instance to meet our particular capacity um the only thing though is that if we were to have multiple E2 instances running like three of them um how would you distribute traffic to the allall right so you know you have an IP address coming in from the internet uh but let's say you want to evenly distribute it and that's where a load balcer comes into play and even if you have a single server you should always have a load balancer because it just makes it a lot easier for you to scale when you need to and you it acts as an intermediate layer where you can attach a web application firewall you can attach an SSL certificate for free so there's a lot of reasons to have a load balancer so what we'll do is go down below on the left hand side and we're going to make our way over to load balancers and we're going to create ourselves a new load balancer so I'm going to hit create load balancer here and you're going to see we have a lot of options application load balcer Network load balcer Gateway load balcer and then the classic load balcer and so we are uh running an application so I'm going to create an application load Bouncer and here I'm going to say my ALB um for an application load balancer this is going to be internet facing it's going to be ipv4 um we're going to let it launch in the default um subnet and we're going to choose the same the same uh uh azs right so that we get the same subnets as our that are in our Autos scan group and that's really important okay and then here um you know we need to have a security group and I just feel like selecting the same one here because that should work no problem there and we want to make sure that we can listen on Port 80 and that it's going to forward it to a a um a Target group it looks like I might have a Target group there from before so just to reduce that confusion you won't have this problem I'm just going to double check if that's true so do I have a Target group from there from before yes I do that came from I'm not sure it might have been created by um elastic bean stock and wasn't deleted okay so I'll go back over to here just so there's less confusion and we were selecting our Target group so we're going to have to create a new Target group so we go over here and here you can choose whether it's instance IP Lambda application load balancer so you could point it specifically to an IP address and so if it was a static IP address that would make sense uh apparently you can Port uh point it directly to instances I don't remember seen that option before I guess that makes sense yeah no sorry that makes sense because that would go to uh vpcs okay or sorry U asgs Autos scaling groups it's just that you are pointing them to Auto scaling groups you're not pointing them to instances so that's why that's confusing so I'm going to say my um Target group it'll be for Port 80 here um protocol http1 is fine we want to be in the same U VPC so that's fine as well and down below we have our health check and so the for slash means that it's going to hit the index HTML page and so if it gets back um something healthy and that that something healthy is going going to be um uh Port 80 then it's going to be considered good and then we can say the threshold of check so I'm just going to reduce this so it's not so crazy so we'll say three uh two and then 10 okay and then it expects back A200 which I think that's what we'll get back so we'll go ahead and hit next and so now we have our Target group and it should register instances so it's saying hey we detected this and this fits the requirements for this so this is now uh this e two instance is now in this target group okay so we can go back over here and we can now drop down and choose whoops hit the refresh button and choose our Target group so I'm not seeing it here so I'm going to go back over here oh we didn't create it okay and now we can go back hit refresh and there it is and yeah that looks all good so we'll go ahead and hit create load balcer we can view the load balancers and these create really fast if we scroll on up what we can do is now access our server through this DNS name okay so we copy that paste that on in there does it work not as of yet so if it's not working there because we did say look at these instances another way is to directly associate your Autos scaling group with the load balancer so if I go into here and we hit uh edit there is a way aha load bouncer so we want to associate this way and we want to say this target group here and also while we're here we might as well set it to elb so it's going to use the elb check so that makes it so the Autos scaling group if it wants to uh restart a server it's going to use the elb's check which is a lot more sophisticated and then what we'll do is go hit update okay and now if we go back over to our load balancer we just going to close some of these tabs so it's less confusing uh load balcer here I think we should be able to see through here whether it is seeing it let's go down below listeners monitoring integrated Services no it's going to be through the target group okay I mean it already had it there so maybe it's just that it hasn't finished the check so over here it has a health status check oh now it's healthy okay so if it's healthy in the Target group and the load bouncer is pointing to it then it should technically work so we're going to go ahead and uh copy the DNS again here make a new tab paste it in and there it is okay so that's how you're going to access um all your all your instances that are within your autoc scaning groups you're going to always go through the DNS and so if you had a row 53 uh domain like you had your domain managed by AWS you just point to the load balancer and that's how you hook it up so that's pretty much it so yeah there you [Music] go all right so there you go we learned everything we wanted to know about ec2 so the the last thing to do is to tear everything down so we have a load balcer we have an autoc scanner group um and those are the two things we'll have to pull on down so the first thing would be to take down the autoscaling group and when you delete an Autos scaling group it's going to delete all the ec2 instances so we'll do it that way if you tried to delete the ec2 it would just keep on spinning up so you have to delete that first and so as that's deleting then we'll be able to delete our load balancer I'm going to try anyway to see if I can delete it at the same time and so I'll go up here I'm going to go ahead and delete that uh load balancer actually it did work no problem going to make sure I don't have any elastic IPS I'm going to also make sure I don't have any key pairs you can keep your key pairs around but like I just want to kind of clean this up so okay okay and that instance should be terminating got to go back to the Autos scan group here if we click into it we can check um its activity here so it's just saying successful so it is waiting on elb connection draining which is kind of annoying because we deleted elb so there's nothing to drain um draining is just to make sure that uh you know there's no interruptions when terminating services so just trying to be smart about it and all I want to see is that it's just saying terminating over here and then I think we're done okay so we'll just have to wait a little while here okay and I'll see you back in a moment okay all right so after waiting a very long time it did destroy so if I go down over to uh my load balcer here you're going to see that it does not exist so there was that connection draining thing which was kind of annoying it's probably because I deleted the load balancer first and then the um the uh the Autos scaling group second and probably connection draining was turned on but it's not a big deal we just waited it and it did eventually delete so we're pretty much all done here so there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at ec2 pricing models and there are five different ways to pay with ec2 remember ec2 are virtual machine so we have on demand spot reserved dedicated and AD us save savings plans so what we'll do is look at these in summary here and then we'll dive deep onto each of these different pricing models so for on demand you are paying the a low cost and also you have a lot of flexibility with this plan uh you are paying per hour so this is a pay as you go model uh or you could be paying uh down to the second which we'll talk about uh the caveats there when we get to the on demand section this is suitable for workloads that are going to be short-term spiky unpredictable workloads uh that cannot be interrupted and it's great for firsttime application and the on demand pricing model is great when you need the least amount of commitment for spot pricing you can see we can save up to 90% which is the greatest Savings of out of all these models here uh the idea here is you're requesting spare Computing capacity that adus is not using and that's where you're going to get that savings you have flexible start and end times uh but your workloads have to be able to handle interruptions because these servers can be stopped at any time to be giving to more priority customers uh and this is great for non-critical background jobs very common for like scientific computing uh where jobs can be started and stopped at any given time this has the greatest amount of savings then you have Reserve or reserved instances this allows you to save up to 75% this is great for steady state or predictable usage you're committing uh with AWS uh for ec2 usage over a period of one or threee terms you can resell un uh unused reserved instances so you not totally stuck with this if you buy them this is great for the best long-term savings then you have dedicated so these are just dedicated servers and technically not a pricing model but more so that the fact that it can be utilized with pricing models um but the idea here is it can be used with on demand reserved or even spot this is great when you need to uh have a guarantee of isolate hardware for Enterprise requirements and this is going to be the most expensive uh so yeah there you go and we'll dive deep here [Music] okay so the on demand pricing model is a pay as you go model where you consume compute and then you pay later so when you launch an ec2 instance by default you are using that on demand pricing and On Demand has no upfront payment and no long-term commitment you are charged by the second up to a minimum of 60 seconds so technically a minute or the hour so let's just talk about the difference between those uh per second billing and those per hour billing so per second are for Linux windows windows with SQL Enterprise windows with SQL standard windows with SQL web instances that do not have a separate hourly charge and then everything else is going to be um per hour and so you know when I'm launching ec2 instance I can't even tell when something's per second or per hour you just have to know that it has a separate hourly charge but generally you know if you're just launching things it's going to probably be the per second billing when you look up the hourly or the uh the pricing it's always shown in the hourly rate so even if it is using uh per second billing when you look up that pricing it's always going to show it to you like that but on your bill you'll see it down to the second okay up to the first 60 seconds in on demand is great for workloads that are short-term spiky or unpredictable uh but when you have a new app development this is where you want to experiment and then when you're ready to uh start saving because you know exactly what that workload is going to be over the span of a year or three that's where we're going to get into reserved instances which we'll cover next hey this is Andrew Brown from exam Pro and we are taking a look at reserved instances also known as RI and this is um a bit of a complex topic but uh you know if we do get through it it's going to serve you well through uh multiple adaa certifications so let's give it a bit of attention here so RI is designed for applications that have a steady state predictable usage or required Reserve capacity so the idea is that you are saying to ads I'm going to make a guaranteed commitment uh saying this is what I'm going to use and I'm going to get savings uh because abos knows that you're going to be spending that money okay so the idea here is that the reduced pricing is based on this kind of formula where we have term class offering the ra attributes and payment options technically the ra attributes don't exactly factor into it other the fact that they an our attribute could be like the instance type size uh but I'm going to put that in the formula there just because it is an important component so let's take a look at each of these components of the formula to understand how we're going to save so the first is the term so the term uh the idea here is the longer the term the greater the savings so you're committing to a one-year or threeyear contract with AWS um and one thing you need to know is that these do not renew so at the end of the year the idea is that you have to purchase again and when they do expire your instances are just going to flip back over to On Demand with no interruptions to service then you have class offerings and so the idea here is the less flexible the offering the greater the savings so the first is standard and this is up to a 75 reduction in the price compared to on demand and the idea here is you can modify some ra attributes which we'll we'll talk about when we get to the um R tribute section there then you have convertible so you save up to 54% reduced pricing compared to on demand and you can exchange uh RIS based on the r attributes if the value is greater or equal in value and there used to be a third class called schedule but this no longer exists so if you do come across it just know that ads is not planning on offering this uh again for whatever reason I'm not sure why uh then there are the payment options so the greater upfront the greater the savings so here we have all upfront so full payment is made at the start of the term partial upfront so a portion of the cost must be paid upfront and the remaining hours in the terms are build at a discounted rate and then there's no upfront so you are build at a discounted hourly rate for every hour within the term regardless of whether the reserv is being used and this is really great this last option here because basically you're saying to AWS you're saying like I'm just going to pay my bill as usual but I'm going to just tell you what it's going to be and I'm going to save money so if you know uh that you're going to be using a T2 medium for the next year uh you can do that and you're just going to save money okay so RIS can be shared between multiple accounts within an organization and unused RIS can be sold in the reserved instance Marketplace but we'll talk about the limitations around that when we get a bit deeper in here just to kind of show you what it would look like in adus console and they updated it I love this new uh UI here the idea here is you're going to filter BAS on your requirements and that's going to show you RIS that are available and then you'll just choose the desired quantity you can see the pricing stuff there you're going to add it to cart you're going to check out and that's how you're going to purchase it [Music] okay so another factor to that formula were RI attributes and sometimes the documentation calls them RI attributes sometimes they call them instance attributes but these are limited based on class offering and can be uh uh can affect the final price of the r instance and there are four R attributes so the first is the instance type so this could be like an M4 large and this is composed of an instance family so the M4 and then the instance size so large okay then you have the region so this is where the reserved instance is purchased then you have the tendency whether your instance runs on shared so the default which uh would be multi-tenant or a single tenant which would be dedicated hardware and then you have the platform whether you're using Windows or Linux even if you're using on demand of course this would just affect your pricing but there are some limitations around here which we'll get into as we dive a bit deeper here with RI [Music] okay all right let's compare Regional and zonal Ri so when you purchase an RI you have to determine the scope uh for it okay so this is not going to affect your price but it's going to affect the flexibility of the instance uh so this is something you have to decide so we're going to talk about Regional RI which is when you purchase it for a regional and zonal RI when you purchase it for an availability Zone so when you purchase it for regional RI it does not Reserve capacity meaning that there's no guarantee that those servers will be available so if ads runs out of those servers uh you're just not going to have them but when it's zonal uh you are reserving capacity so there's a guarantee that those will be there when you need them um in terms of uh AZ flexibility uh you can use the regional RI for any AZ within that region but for the zonal ri you can only use it for that particular region we're talking but instance flexibility um you can apply the discount to uh any instance in the family regardless of the size uh but then when we're looking at a there is no instance flexibility okay so you're just going to use it for exactly what you defined you can cue purchases for regional RI you cannot cue purchases for zonal Ri so there you [Music] go let's talk about some ra limits here so there's a limit to the number of reserved instances that you can purch purchase per month and so uh the idea here is that you can purchase 20 Regional reserved instances per region and then 20 zonal reserved instances per a so if you have a region that has three azs you can have uh 60 um zonal reserved instances in that region okay there are some other limitations here so for regional limits you cannot exceed the running on demand instance limit by purchasing Regional reserved instances the default for on demand limit is 20 so before for purchasing your RI ensure on demand limit is equal to or greater than your RI you intend to purchase you might even want to open up a service uh limit increase just to make sure you don't hit that wall for zonal limits you can exceed your running on demand uh instance limit by purchasing zonal reserved instances if you're already uh have 20 on demand instances and you purchase 20 zonal reserved instances you can launch a further 20 on demand instances that match the specification of your zonal reserved instances so there you go [Music] let's talk about capacity reservation so ec2 instances are backed by different kinds of hardware and so there is a finite amount of servers available within an availability Zone per instance type of family remember an availability zone is just a data center or a collection of data centers and they only have so many servers in there so if they run out because the demand is too great you just cannot spin anything up and so that's what's happening you go to launch specific ec2 instant type but Abus is like sorry we don't have any right now and so the solution to that is capacity reservation so it is a service of ec2 that allows you to request uh a reserve of VCU instance type for a specific region and a so here you would see that you just select the instance type platform AZ tendency the quantity and then here you might manually do it specify time or you might say okay I can't get exactly what I want but can give me something generally around uh that kind of stuff or that type that I want so the reserve capacity is charged at the selected instance type on demand rate whether an instance is running in it or not and you can also use Regional reserved instances With Your Capacity reservations to benefit from billing discounts so there you [Music] go so there are some key differences between standard and convertible Ri so let's take a look at it here so the first is that with standard RI you can modify your tributes so you can change the a within the same region you can change the scope uh from a zonal RI to original RI or vice versa you can change the instance size uh as long as it's a Linux and it has the default tendency you can change the network from ec2 classic to VPC and vice versa but when you're looking at convertible you you don't modify R tributes you perform an exchange okay and so standard RIS cannot do exchanges where convertible RI you can uh exchange during the term for another convertible r with new R attributes and this includes instance family in in type platform scope and tendency um in terms of the marketplace you C uh they can be bought in standard RI uh in the marketplace or you can sell your RI if you uh don't need them anymore uh but for convertible RI they cannot be sold or bought in the marketplace you're just dealing with ads directly [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the reserved instance Marketplace we had mentioned a R so let's give it a little more attention here so it allows you to sell your unused standard RI to recoup your spend for RI you do not intend or cannot use so reserved instances can be sold after they have been active for at least 30 days and once databus has received the upfront payment you must have a US bank account to sell RI on the ri Marketplace there must be at least one month remaining in the term for the ri you are listing you will retain the pricing and capacity benefit of your reservation until it's sold and the transaction is complete your company name and address upon requests will be shared with the buyer for tax purposes a seller can set Only The Upfront price of an RI the usage price and other configurations such as instance type availability Zone platform will remain the same as when the ri was initially purchased the term length will be rounded down to the nearest month for example a reservation with 9 months and 15 days remaining will appear as 9 months on the R Market you can sell up to 20,000 USD in reserved instances per year if you need to sell more RI reserved instances in the gov Cloud uh region cannot be sold on the ra Marketplace so there you [Music] go hey it's Andrew Brown from exam Pro and we are taking a look at spot instances so adus has unused compute capacity that they want to maximize the utility of their idle servers all right so the idea is just like when a hotel offers booking discounts to fill vacant Suites or planes offer discounts to fill vacant seats all right so spot instances provide a discount of 98% compared to On Demand pricing spot instances can be terminated if the Computing capacity is needed by other on demand customers but from what I hear rarely rarely does spot instances ever get terminated um it's designed for applications that have flexible start and end times or applications that are only feasible at very low compute cost so you see some options here like load balancing workloads flexible workloads Big Data workloads things like that um there is another service called abis batch which is for doing batch processing and this is very common what you use um spot WID and so you know if you find the spot interface too complicated you're doing batch processing you want to use this service instead um there are some termination conditions so instances can be terminated by adus at any time if your instance is terminated by ads you don't get charged for a partial uh hour of usage if you terminate an instance you will be still charged for an hour uh that it ran so there you go hey this is Andrew Brown from exam Pro and we are taking a look here at dedicated instances so dedicated instances is designed to help meet regulatory requirements inabus also has this concept called dedicated hosts and this is more for when you have strict server bound licensing that won't support multi- tendency or cloud deployments and we'll definitely distinguish that in this course but just not in this slide in particular um and so to understand uh dedicated instances or hosts we need to understand the difference between multi- tendency and single tendency so multi- tendency you can think of like everyone living in the same apartment and single tendency you can think of it everyone having their own house so the idea here is that you have a server I'm just going to get my uh cursor or my pen out here to say server and you have multiple customers running workloads on the same hardware and the idea is that they are separated via virtual isolation so they're using the same server but it's just software that might be separating them okay and then we have the idea of single tency so we have a single customer that has dedicated Hardware so the physical location is what separates customers um and the idea here is that dedicated can be offered via on demand reserved and spot so that's why we're talking about dedicated here in the pricing model just so you know that you know even though these are a lot more expensive than on demand uh you can still save by using reserved and also spot which I was very surprised about um and when you want to choose dedicated you're just going to launch your ec2 and you'll have a drop down where you have that shared so that's the default dedicated so you have dedicated and dedicated host again we'll talk about dedicated host later when we need to here um and so again the reason why um you know Enterprises or large organizations may want to use dedicated instances is because they have a sec uh a security concern or obligation about uh against sharing the same Hardware with other adus customers [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at adus savings plans and this is similar to to reserved instances but simplifies the purchasing process so it's going to look a lot like RI at the start here but I'll tell you how it's a bit different okay so there are three types of saving plans you have compute Savings Plan ec2 instance saving plans and sagemaker saving plans uh and so you just go ahead and choose that you can choose two different terms so one year threee so it be simple as that and then you choose the following payment options so you have all upfront partial payment and no upfront and then you're going to choose that hour of the commitment you're not having to think about standard versus convertible uh Regional versus zonal RI attributes it's a lot simpler uh and let's just talk about the three different saving plans or types in a bit more detail so you have compute so compute savings plans provides the most flexibility and helps to reduce your cost by 66% these plans automatically apply to ec2 instances usage ads fargate ads Lambda service usage regardless of the instance family size AZ region Os or tency then you have ec2 instances so this provides the lowest prices offering saving up to 72% in exchange for commitment to usage of instance uh individual instance families in a region so automatically reduce uh your cost on the selected instance family in the region regardless of AZ size OS tendency gives you the flexibility to change your usage between instances with a within a family in that region and the last is Sag maker so helps you reduce Sage maker cost by uh up to 64% automatically apply to sagemaker usage regardless of instance family size component adus region if you don't know what sagemaker is that's ad's ml service and it uses ec2 instances or specifically ml ec2 instances so everything's basically using ec2 here um but there you [Music] go all right let's take a look at the zero trust model and the zero trust model is a security uh model which operates on the principle of trust no one and verify everything so what I mean by that is malicious actors being able to bypass conventional access controls demonstrates traditional security measures are no longer sufficient and that's where the zero trust model comes into play so with the zero trust model identity becomes the primary security perimeter uh and so you might be asking what do we mean by primary security perimeter the primary or new security perimeter defines the first line of defense and its security controls that protect a company's Cloud resources and assets um if this still doesn't make sense we do cover a part of the defense and depth where you see the layers of Defense from data all the way to physical and so you can kind of see you know what we're talking about in that model there but the old way that we used to do things is Network Centric so we had traditional security focused on firewalls and VPN since there were few employees or workstations outside the office or they were in a specific remote office so we treated the network uh the network as kind of like the the boundary so if you're in in office there's nothing to worry about but we don't think like that anymore because everything is identity Centric so this is where we have bring your own device remote workstations which are becoming more common uh we can't always trust that the employee is in a secure location we have uh identity based security controls like MFA we're providing provisional access based on the level risk from where when and what a user wants to access and identity Centric does not replace uh but it augments Network Centric security so it's just an additional layer of consideration for uh security when we're thinking about our Adas Cloud workloads okay all right so we just Loosely defined what the zero trust model is so let's talk about how we would do Zer Trust on AWS and so zero trust has to do a lot with identity security controls and so let's talk about what is at our disposal on AWS so on ads we have identity and access management IM this is where we create our users or groups or policies so IM am policy is a set of permissions that allow you to say okay this user is allowed to use uh these services with these particular action uh then you have the concept of permission boundaries and so these are saying okay um these aren't the permissions the user has currently but these are the boundaries to which we want them to have so they should never have access to um uh ml services and if someone's to uh apply them uh uh permissions it'll always be within these boundaries then you have service control policies and these are organization-wide policies so if you have a policy where you don't want anyone to run anything in the Canada region you can apply that policy at the organiz level and it will be enforced then within an policy there are the concept of conditions and so these are all the kind of like uh little knobs you can uh tweak to say how do I uh control based on a bunch of different factors so there is Source IP so restrict where the IP address is coming from a requested region so a restrict based on the region as we were just mentioned as an example uh multiactor off presence so restrict if MFA is turned off uh current time so restrict access based on time a day maybe your your employees should never be really using things at night and so that could be an indicator that someone is doing something malicious so you know only give them access during a certain time a day and so that's where we're going to figure out you know based on all these type of controls security controls uh to our adus resources we can kind of enforce the zero trust model adabs ads does not have a ready to use identity controls that are intelligent which is why adus is considered not to have a zero trust offering for customers and third-party services need to be used so what I'm saying is that technically you know this checkbox is this thing saying okay we can kind of do zero trust on AWS but the there's a lot of manual work and you know if I was to say okay um I don't want anyone using this at nighttime it doesn't really detect you know what I'm saying it's not going to say oh I think this time is suspicious andalicious so then restrict access only to these core services and anything outside of the services can't be used it just can't exactly do that without a lot of um work yourself and that's what I'm talking about here where we have a collection of a services that can be set up in an intelligence intelligent is detection way for identity concerns but requires expert knowledge so the way you might do that AWS is that everything all the API calls go through a cloud trail and so what you could do is feed those into Amazon guard Duty and guard duty is an intrusion uh uh intrusion detection and protection system so it could detect suspicious or malicious activity on those cloud trail logs and you could follow that up with mediation or you could pass that on to Amazon detective that could analyze investigate and quickly identify security issues uh that it could ingest from guard duty but I'm telling you that this stuff here is not as easy um for the consumer and so you of course you can do zero trust model but it's going to take a lot of work here and there are some limitations which we'll talk about next [Music] here so now let's see how we would do zero trust on adus with third parties so adus does does technically Implement a zero trust model but does not allow for intelligent identity security controls which you know you can do it but it's a lot of work so uh let's kind of compare it against kind of a third party where we would get the controls that we would not necessarily get with AWS so for example Azure active directory has a realtime and calculated risk detection Based on data points than AWS and this is based on device and application time of day location whether MFA is turned on what is being accessed and the security controls verification or logic restriction is much more robust so you know just as one particular example like device and application is not something that ads factors in uh with the existing controls or at least not in a way that is consumer friendly and you know I can't say on adus okay when you think that this is the type of threat only allow them access to these things or if you think they're in a risky area or risky uh location only give them access to you know these things where there's not sensitive data you can't exactly do that adus very easily and so this is where third party Solutions are going to come into play so you have Azure active directory Google Beyond Corp jump Cloud uh all these have more intelligent security controls for Real Time detection um and so the way you would use these is these would be your primary directories uh for Google Beyond Corp is just a zero trust framework so I guess you'd use uh Google's uh Cloud directory but the idea anyway here is that You' use single sign on to connect those directories to your adus account and that's how you access access those uh adus resources and you get this more robust functionality okay hey it's Andrew Brown from exam Pro and we're looking at identity now we need to know a bunch of Concepts before we talk about identity on AWS so let's jump into it the first is a directory service so what is directory service well it's a service that Maps the names of network resources to network addresses and a directory servic is shared uh infrastructure or information in infrastructure for locating managing administrating and organizing resources such as volumes folders files printers users groups devices telephone numbers and other objects a directory service is a critical component of a network operating system and a directory server or a name server is a server which provides a directory service so each resource on the network is considered an object by the directory server information about a particular resource is stored as a collection of attributes associated with that resource or op project uh well-known directory Services would be a domain name service um so the directory service for the internet Microsoft active directory and uh they have a cloud hosted one called Azure active directory we have aachi directory service Oracle inter internet directory so o ID uh open ldap uh Cloud end identity and jump Cloud [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at active directory now you might say well we're doing adabs why are we looking at this well no matter what cloud provider you're using you should know what active directory is uh especially when it comes to identity because you can use it with AWS um so let's talk about it so Microsoft introduced active directory domain services in Windows 2000 to give organizations the ability to manage multiple on- premise infrastructure components and systems using a single identity per user and since then it's uh involved uh evolved obviously it's uh running Beyond Windows 2000 as of today and uh they even have a managed one called Azure ad which is on Microsoft Azure but just to kind of give you an architectural diagram here the idea is that you would have your domain servers here uh and they might have child domains and the idea is that you have these running on multile machines so that you have redundant ability to log in from various places when you have a bunch of domains it's called a forest and then within a domain you actually have organizational units and when then within organizational units you have all your objects look like your users your printers your computers your servers uh all things like that [Music] okay hey it's Andrew Brown from exam Pro and we're talking about identity providers or ipds so hey this is Andrew Brown from exam Pro and we are talking about identity providers also known as idps so an identity provider is a system entity that creates maintains and manages identity information for principles and also provides authentication services to Applications with a federation or distributor Network a trusted provider of your user identity that lets you use authent uh lets you authenticate to access other service identity providers so this could be like Facebook Amazon Google Twitter GitHub LinkedIn uh Federate identity is a method of linking a user's identity across multiple separate identity management systems and so some things that uh we can use for that is like open ID so this is an open standard and decentralized Authentication Protocol allows you to be able to log in to different social media platforms using Google or Facebook account open ideas about providing who you are then we have ooth 2.0 this is an industry standard protocol for authorization oo doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers o is about granting access to functionality and then we have samles security assertion markup language which is an open standard for exchanging authentication and authorization between an identity provider and a service provider and this is important use for samle which we use for single sign on via the web browser [Music] okay hey this is Andrew Brown from exam Pro we're looking at the concept of single sign on so SSO is an authentication scheme that allows a user to log in with a single ID and password to different systems and software as so allows it departments to administer a single identity that can access many machines and cloud services so the idea is you have as your active directory this is just an example of a very popular one You' use samle to do SSO and you can connect to All Things slacks Google workspaces Salesforce or your computer uh the idea here is uh once you uh log in um you don't have to log in multiple times so you log into your primary directory and then after that you're not going to be presented with a login screen some Services might show an intermediate screen but the idea is you're not entering your credentials in multiple times so it's [Music] seamless all right let's talk about ldap so lightweight directory access protocol is an open vendor neutral industry standard application protocol for accessing and maintaining distributed directory information Services over uh IP network so a common use of ldap is to provide a central place to store usernames and passwords ldap enables for same sign on so same sign on allows us to uh use a single ID and password but they have to enter it every single time they want to log in so maybe you have your on premise active directory and then it's going to store it in that ldap directory and so the idea is that um you know all these services like Google kubernetes um jenings is going to uh deal with that ldap server so why would you use ldap over SSO which is more convenient or seamless so most SSO systems are using ldap under the hood but ldap was not designed aily to work with web applications so some systems only support integration with ldap and not SSO so you got to take what you can get [Music] okay let's take a look here at multifactor authentication also known as MFA and this is a security control where after you fill in your user's name an email password you have to use a second device such as a phone to confirm that it's you that is logging in so MFA protects against people who have stolen your password MFA is an option in most Cloud providers and even social media websites such as Facebook so the idea is I have my uh username or email and password I'm going to try to log in this is the first factor and the second factor or multiactor is I'm going to use a secondary device so maybe my phone we're going to enter in different codes or maybe it's passwordless so I just have to press a button to confirm that it's me and then I'll get access so in the context to AWS it's strongly recommended that you turn on MFA for all your accounts especially the adus root account uh we'll see that when we do the follow [Music] alongs let's take a look at security keys so a security key is a second device used as a second step in authentication process to gain access to a device workstation or application a security key can resemble a memory stick and when your finger makes contact with a button of exposed metal on the device it will generate an autofill a security token a popular brand of security Keys is the UB key and this is the one I use and is looks exactly like the one that's right beside my desk it works out of the box with Gmail Facebook and hundreds more supports PH2 web offn uh u2f it's waterproof and Crush resistance it uh has variations like usba us uh NFC dual connectors on a single key can do a variety of things so when you turn on MFA on your adabs account you'll have virtual MFA device so that's when you're using something like a phone or using software on your phone to do that then there's the u2f security key ke so this is what we're talking about right now and there's even other kinds of Hardware MFA devices um which we're not really going to talk about but um you know just security Keys tie into MFA and this is a lot better way than using a phone because you know you can have it on your desk and press it um and you know you don't have to worry about your phone being not charged [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at itus identity and access management also known as I am and you can use this service to create and manage adus users groups uh use permissions to allow and deny their access to adus resources so there's quite a few components here let's get to it so the first is I am policies so these are Json documents which Grant permissions for specific users groups or a role to access services and policies are attached to IM identities then you have IM permissions or a permission and this is an API action that can or cannot be performed and they represented in the IM policy document then there's the IM identities so we have IM users these are end users who log into the console or interact with ad resources programmatically or via clicking UI interfaces you have IM groups so these these uh group up your users so they all share the same permission levels so maybe it's admins developers or Auditors then you have IM roles so these roles Grant ads resources uh permissions to specific ads API actions and Associate policies to a role and then assign it to an adus resource so just understand that roles are when you're attaching these to uh resources so like if you have an ec2 instance and you say it has to access S3 you're going to be attaching a a rooll not a policy directly [Music] okay hey this is Andrew Brown from exam Pro and we are looking at IM policies a little bit closer here and they are written in Json and contain the permissions which determine the API actions that are allowed or denied um and rarely do I write these out by hand uh because they have a a little wizard that you can use to write out the code for you but if you want to you absolutely can write it out by hand but we should know the contents of it and how these Json files work so the first thing is the version uh which is the policy language version and it's been 2012 for a very long time I don't see that changing anytime soon if they happen to change uh what or what the structure of the Json is then you have the statements and these are for policy elements uh and you're allowed to have multiples of them so the idea is that this is the the policies or permissions we should say uh that you uh plan on applying then you have the Sid this is a way of labeling your statements um this is useful for like visualization or for referencing it for later on but a lot of times you don't have to have a sid um then there's the effect it's either allow or deny then you have the action so here we're saying give access to S3 for all actions under it there's another action down below where it's saying give access I'm going get my pen tool out here just to create a service link role so that's a cross account role there then there's the principal so this is the account user role or Federated user to which you would like to allow access or deny so we're specifically saying uh this IM am user named Barkley um in our adus account there uh then there are the resources so the resources to which the action applies um so in this one up here we are specifying a specific adus bucket here we're saying all possible resources in in adus account and then the condition so so there's all sorts of different kinds of conditions so this is a string like one and it's saying look at the service name and if it starts with this or that then they'll have access to that so this person even though it says all resources they're really only going to have access to RDS [Music] okay so in this follow along we're going to take a closer look at I am policies so go to the top and type in I and what we'll do is make our way over here uh all the way over to policies and what I want to do is create a new policy that only has access to uh um limited resources so um let's say we want to create an Amazon ec2 instance and that E2 instance has access to a very particular S3 bucket so what I want you to do is make your way over to S3 and we're going to create ourselves a new bucket and I'm going to go ahead and create a bucket here we're going to call this um policy tutorial and I'm going to just put a bunch of numbers here you'll have to randomize it for your use case and so now that we have our bucket what we're going to do is go ahead and create a policy and the policy is going to choose a service we're going to say S3 and what I want to do is only be able to list out actions I'm going to expand this so I don't want everything so we're just going to say list buckets okay and then what we'll do is uh expand this here and I want to save for a particular bucket so we'll go back back over here click into our bucket and uh we're going to go ahead and set those permissions by finding that Arn we're going to paste that we're going to paste that Arn up there sometimes it's a bit tricky it vanishes on you and we could set other conditions if we wanted to but this is pretty simple as it is and so that's our rule here right so we're saying this policy allows us to list this bucket for that okay so what we'll do is go ahead and hit next we'll hit review and we'll just say my bucket policy and we'll create that policy okay so there's a few other things I think that I'd like to do with this policy I'm going to pull it back up here so if we want to find it uh used to be able to filter these based on the ones that you created but um yeah they show like the little I so these are ones that I've created up here and so there's my bucket policy and I feel like I want to update this policy to have a bit of extra information here so I'm going to go edit this policy no you know what I think this is fine so what I want to do is now create a ro and we're going to create a new Ro and I'm going to call this um well before I do I need to choose what it's for so it's going to be for ec2 so we're going to go ahead and hit next we're going to choose our policy so my bucket policy there it is and I want to add another one here because I want to be able to use sessions manager because I really don't want to use an SSH key to check that this works and so um for this I I need to use SSM so I'm going to type in SSM here and I'm just make sure this is the new one so this policy will soon be deprecated use Amazon SSM manag core instance should always open these up and read them and see what they do and so that's the one that's going to allow us to access uh Simpson manager so we can use um sessions manager okay and so we're going to say my ec2 roll for S3 and we're going go ahead and create ourselves a roll so now that we have our roll I'm going to go over to ec2 and I'm going to go ahead and launch myself a new instance we're going to choose Amazon ltic 2 we're going to stick with T2 micro I'm going to go over to configuration here everything is fine here um I'm fine with all that storage is fine we'll go to Security Group and I don't want any ports open because I'm not going to be using SSH we're going to launch this instance I don't even want to keep pair okay and then we're going to go over here and so what we're waiting for is this instance to launch as that is going what I want to do is go over to my S3 bucket and I want to place something in this bucket so I do have some files here um so what I'm going to do let's create a new folder here whoops I'm going to go back and I'm just going to create a folder first create a folder Enterprise D and I'm going to click into this and then I'm going to upload all my images here so you'll have to find your own images off the internet this is just the ones I have and we'll go ahead and upload those give that a moment okay and so we don't have access to read those files we'll adjust our policy as we go so that we can do that okay so this instance should be running um it has doesn't have the two status checks pass we should be able to uh connect to it so click on connect here and so we have options like easy to instance connect sessions manager SSH client I want you to go to sessions manager it says we weren't able to connect to your instance common reasons SSM agent wasn't installed we absolutely have that installed the required I am profile oh right so we were supposed to attach I forgot to do we were supposed to attach an I am profile right so an I profile is the role uh it or the it holds the role uh that's going to give the permissions to that instance and since we didn't add it we have to go retroactively add it after the fact and so I'm going to have to modify the IM roll and we're going to choose my ec2 roll for S3 and we're going to save that and actually when that happens you have to reboot the machine you only have to do that if you have no Ro attached like prior no profile attach and you're attaching it for the first time but after that you never have to reboot the machine this is the only case where you'd have to do that that's why when I launch an ec2 instance I always at least have the SSM R attached the managed one that gets sessions manager so that I don't don't ever have to do a reboot in case I have to update the policy and so we will give that a moment there it says initializing so I'm going to try again to connect to it okay and we still don't have that option there um so I'm going to go back to my instances I'm going to check to see if the role the rule or policy is attached or profile I should say so I'm just looking for it here there it is and so if I click into this into the r we can see that we have the Amazon SSM managed instance core there so that's set up and then my uh bucket policy so this has everything that it should be able to do it no problem okay so I'm going to try that again okay so now the connect shows up ads is finicky like that you just have to have confidence in knowing what you're doing is correct okay we'll go ahead and hit connect and I didn't have to use SSH keys or anything and this is a lot more secure way to connect your instances when it logs Us in it's going to set us as the SSM user but we want to be the um the ec2 user okay that's uh ads always makes their am like their Linux version as the ec2 user and that's what you're supposed to use but it's just you just that's how you have to get to that you just have to type that pseudo suyen ec2 user okay just once and if you type who am I that's who you are if you type exit you'll go back to that user so I type exit and I type who am I I'm now this person so I'm going to go back hit up go back in there type clear so now I want to see if I have access to S3 so I have to do OS S3 LS want's see if I can list buckets it says access deny so I mean that kind of makes sense because if you have list buckets and we're just saying only that bucket that might not make a whole lot of sense so I'm going to go back to my policy I might just written a a crummy policy but we'll say I am here if we have that one open we should just go here and click on this policy here I'm going to edit that policy so what I'm going to do is I'm just going to change it and we all resources review the policy save changes and we'll see how fast that propagates okay because I'm pretty sure I don't have to do anything here it should just now give me full access to S3 just going to keep on hitting up here so what I'm going to do is I'm just going to take like a three four minute break going to get a drink I'm going to come back here and see if this propagates I'm pretty sure I don't have to do anything for that to propagate and I think that I've attached everything correctly here okay okay so I haven't had much luck here it's still having the same issue so if that is happening what I'm going to do um is I'm just going to reboot it because maybe I didn't give it a good opportunity to reboot there again I don't think we should have to reboot it every time when we we're changing um uh things there but we will give it another go here and see if if that fixes that problem there so no sessions matter is going to time out here which is totally fine it's going to kill that session there um and so what we'll have to do is close this out because there's not much we can do with that and we're going to go ahead and go back to connect and so we're waiting for this button to appear because it is rebooting so if we want to monitor that stuff usually there is an option here to monitor where it'll show us the system logs of what it's doing doing so here it's just like restarting the machine I'm not sure if we expect to see something after this so I can click that there and uh yeah it's easy to get turned around this so I can connect to it again now we'll type in pseudo Su hyphen ec2 user ads S3 LS and we still have access deny for list buckets so if that's the case it could be that um sometimes you need other permissions when doing list policy like uh list buckets so if that's the case we're going to do a sanity check I'm just going to say all permissions here okay and this way there's no way that I've set this incorrectly um it just has to work now type this in there we go okay so there has to be something more to it so just because you say list buckets you know like means there must be more to it right so if I go here to this right and I say whoops and I say uh list buckets here we'll say copy paste okay here it's saying maybe I need get object as well so I just know from using a long time that that's the case that it could be more than one thing so you know that was in the back of my mind that that could be happening and I guess that is but notice I didn't have to restart my uh my server boot my server to get those to work um uh but anyway let's go lock that down and see if we can just kind of make this uh more focused so let's say um all resources I'm going to specify the condition so I might want to just say for particular buckets we say specific when you checkbox everything then you have to do this so for storage accounts these are fine any for objects that could be something we'll say multi- region access bucket any bucket but what I'm going to say is I want to only allow them to access things in a particular bucket and so if I go to Arn here um what is our bucket name our bucket name is policy tutorial 3414 whatever right and so we can actually give it a wild card or we can say Enterprise D and we learned this in the course that uh you can provide orangs with randomize things there I don't know know if I spelled it wrong over here so I should really double check I should probably just copy it oops I just don't want to type it wrong and so this okay means that we should only be able to get stuff from there I'm going to review the policy see if it takes save the changes and if I just view the Json here notice it says anything from here right so allow S3 anything as long as it's within here and then it also broke it up into sub one4 here okay um so anyway what I want to see is what happens if I upload something into the loose area here so I'm to say upload and I'm going to just say add a file we're just going to grab data here and upload it go back to our bucket there there's our file we have that stuff in there and so if I go back over to my ec2 instance which I'm still connected to uh who am I okay great clear um so I'm going to say ads S3 LS see if that works still it does good and so what I want to do is see if I can copy a file locally so I'm going to do Abus S3 copy I think it was S3 no it's just S3 copy polic uh S3 SL SL policy tutorial 34 141 whoops 34 tutorial hyphen 34141 slash Enterprise D data.jpg I think it's a JPG let's go double check yeah it is okay and then I just want to say data.jpg and it downloaded it right so I'm going to remove that one and so now what I'm going to do is I'm just going to see if my policy is working or maybe my permissions aren't exactly what I think they are and I was able to download it so it's these policies can get kind of tricky because like this one says allow all actions for these but then these say all actions and so that makes it hard because I want get object so another thing we can do and if that one doesn't work really well I'm just going to write one by hand it's not that scary to write these by hand you just get used to it so I'm going to say effect um is it disallow or maybe it's deny deny action S3 get off object I believe that's what it is resource and then I'm going to specify exactly the resource I don't want it to allow so we're going to say R AWS S3 three colons policy tutorial 34141 uh and just say data.jpg now if this is not valid it's going to complain and say hey you didn't write this right and it and it's fine okay so we'll save those changes and so that should deny access to that right hopefully I got the policy right okay so that one doesn't work which is fine and that one's fine so that worked we were able to deny that but you can see there's a little bit of an art to creating these policies uh as you make more of them it becomes comes a lot easier so hopefully it's not too scary but uh that's all there really is uh to it that I want to show you today so what we're going to do is clear out this bucket we're done with this bucket here so we'll say delete whoops we got to empty it first and we'll just say permanently delete here okay and we will exit that out we're going to go ahead and delete that bucket grab its name here and uh we'll go back over here I think I forgot to delete this Bucket from earlier I'm just going to delete that because I don't need that bucket so that's okay with you just going to go ahead and delete that and we have that ec2 instance running so we want to stop that go ahead and we're going to terminate that yes please and then we'll go to IM and do some clean up I have some custom roles I've been creating um you know from prior things a lot of those usually there's a way to uh We've redesigned it okay where's the redesign this is the redesign that can't be it because there'll be like rolls that ads makes I think these are all rolls that I've made um I don't want to delete service roles but I want to get rid of some of these CU I just have too many you know it's getting out of hand for me and I'm going to just see if it will let me delete all of these let's delete those there we go just clean up a bit I still have a lot here but there's like service roles that adus crates once and you really don't want to delete those because you don't um and then I have a bunch of these like like I'm never going to use these so I might as well detach them delete detach you really don't want to keep like rolls that you're never going to use around things like that like gauze we going to be using that again delete there's that bucket we just created but anyway you get the idea so uh yeah that's uh that's I am [Music] okay principal of lease privilege PP is the computer security concept of providing a user roll or application the least amount of permissions to perform an operation or an action and the way we can look at it is that we have just enough axis so Jaa permitting only the exact actions for the identity perform a task and then we have just in time jit permitting the smallest length of duration an identity can use permission so usually when we're talking about PLP it's usually a focus on here uh but now these days uh there's a larger focus on jit as well and so jit is the difference between having long lived um uh permissions or access Keys versus short-lived ones and the most Progressive thing in PP is now risk-based adaptive policies so each attempt to access a resource generates a risk score of How likely the request is to be from a compromised source so the risk score could be based on many factors such as device user location IP address what service is being accessed and when did they use MFA did they use Biometrics things like that and right now as of this time it just does not have a risk-based adaptive policies built into I am you can roll your own um what's interesting is Cognito has risk-based adaptive policies they call like um adaptive authentication but that's for user pools and not identity pools user pools is for getting access to an app uh that you have built through an ipd where identity pools in cognito is about getting access to adus resources so uh you know I'm sure abos will get it eventually but they just don't have it right now and you have to rely on thirdparty um identity Solutions uh to get risk-based adaptive policies now talking about just enough access and just in time just in time is like you think how would you do that with ads you just add and remove permissions manually well one thing you could do is use something like console me so this is an open source Netflix project to selfer short-lived I am policies so an end user can access it of his resources while enforcing Jaa and jit and so there's a repo there as well um but the idea is they have like this self- serve wizard so you say I want these things and then the machine decides okay you can have them or you you don't need them and it just freezes you up asking people and worrying about the length and stuff like that [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the IUS route user uh and this gets confusing because there's an account root user and regular user so let's distinguish what those three things are so here we have an AB account and the account which holds all the adus resources including the different types of users then you have the root user this is a special account with full access that cannot be deleted and then you have just a user and this is a user for common tasks that is assigned permissions so just understand that sometimes people say it was account they're actually referring to the user and sometimes when they're saying it was account they're actually referring to the ads account that holds the users I know it's confusing it just it's based on what people decide the context is when they're speaking so the ads account user is a special user who's created at the time of the ads account creation and they can do uh they have a lot of conditions around them so the re user account uses an email and password to log in as opposed to the regular user who's going to provide their account ID Alias username and password the root user account cannot be deleted the root user account has full permissions to the the account and its permissions and cannot be limited and when we say it cannot be limited we're saying that if you take an IM policy to explicitly deny the user access to resources it's not something you can do however you can do it in the case of adus organizations with service control policies because a service control policy applies to a bunch of accounts so it just it's one level above and so that is a way of limiting root users but generally you can't limit them within their own account uh there can only be one root user uh per ad of us account the root user is instead for very spec specific and specialized tasks that are infrequently or rarely performed and there's a big list and we'll get into that here in a moment and the root uh account should uh not be used for daily or common tasks it's strongly recommended to never use the root users access keys because you can generate those and use them it's strongly recommended to turn on MFA for the root user and adus will bug you to no ends to tell you to turn it on so let's talk about the uh tasks that you should be performing with a root user and only the root user can perform so changing your account settings this includes account name email address root user password root user access Keys other account settings such as contact information payment currency preference regions do not require the root user credentials so not everything um restore IM user permissions so if there's an i IM admin so just a user that has admin access who actually revokes their own permissions you can sign into the root user to edit policies and restore those permissions um so you can also activate IM access to the billing and cost Management console you can view certain tax invoices you can close your ad's account you can change or cancel your adus support plan register as a seller in the reserved instance Marketplace enable MFA uh Delete on S3 buckets edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID sign up for govcloud and something that's not in here which this I took this from the documentation but uh you can use the adus uh account user to create the organization you can't create that with any other user so um you know the ones I highlighted in red are very likely to show up your exam and that's uh why I highlighted them there for you but there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at adus single sign on also known as adus SSO and so this is where you create or connect your Workforce identities in ads once and manage access centrally across your ads organization so the idea here is you're going to choose your identity Source whether it's it SSO itself active directory SLE 2.0 IDP you're going to man manage user permission centrally to ads accounts applications samle applications and it uses uh it can you get single click access to all these things so you know just to kind of zoom in on this graphic here uh you know you have your on premise active directory it's establishing a ad trust connection over to Able single sign on you're going to be able to apply permissions to access resources within your adus account so via adus organizations in your organizational units down to your resources you can also use ads SSO to access custom samle based applications so you know if I built a web app and I uh like the exam Pro platform and I wanted to use sample based uh connections for single sign on there I could do that as well and you can connect out SSO access to your business Cloud application so Office 365 Dropbox slack things like that so there you go well let's take a look here at application integration so this is the process of letting to Independent applications to communicate and work with each other commonly facilitated by an intermediate system so Cloud workloads uh strongly encourage systems and services to be Loosely coupled and so inabus has many services for the specific purpose of application integration and these are based around common system systems or design patterns that utilize application integration and this would be things like queuing streaming pubsub API gateways State machines event buses and I'm sure there are more but that's what I could uh think about that are the most common ones [Music] okay so to understand queuing we need to know what is a messaging system so this is used to provide asynchronous communication and decouple processes via messages and events from a sender receiver or a producer and a consumer so a queing system is a messaging system that generally will delete messages once they are consumed it's for simple communication it's not real time you have to pull the data it's not reactive and uh a good analogy would be imagining people that are queuing in a line to go do something so for ads it's called Simple queuing service sqs it's a fully managed queing service that enables you to decouple and scale microservices distributed systems and serverless applications so a very common use case in a web application would be to queue up transactional emails to be sent like sign up reset password and the reason why we have queing to decouple uh those kind of actions is that if you had a long running task um and you had too many of them it could hang your application so by decoupling them and letting a separate compute uh service take care of that um that would be something that would be very useful okay let's take a look here at streaming and so this is a different kind of messaging system um but the idea here is you have multiple cons consumers that can react to events and so in streaming we call messages events and then in a queing system we just call them messages but events live in the Stream for long periods of time so complex operations can be applied and generally streaming is used for realtime stuff whereas queing is not necessarily real time and so ad's solution here is Amazon kinesis you could also use Kafka but we'll focus on Kinesis here so Amazon Kinesis is the aist fully managed solution for collecting processing and analyzing streaming data in the cloud so the idea is that you have these producers so that are producing events could be ec2 instances mobile devices could be a computer or traditional server they're going to go into the data stream there's a bunch of shards that scale and there's consumers on the other side so maybe red shift wants that data Dynamo DB S3 or EMR okay but the thing you have to remember is that streaming Is For Real Time data and as you can imagine because it's real time and it's doing a lot more work than um a queuing system it's going to cost more [Music] okay so we have another type of messaging system known as Pub sub so this stands for publish subscribe pattern commonly implemented in messaging systems and a pub sub system the sender of messages the Publishers do not send their message directly to receivers they instead send their messages to an event bus the event bus categorizes their messages into groups then receivers of messages subscribers subscribe to these groups whenever new messages appear within their subscriptions the messages are immediately delivered to them so the idea is you have Publishers event bus subscribers and event buses appear more than once so it actually appears in streaming appears in this Pub sub model and then it can appear in other variations so you're going to hear it more than once the word event bus um so the idea here is the publisher has no knowledge of who the subscribers are subscribers do not pull for messages messages are instead automatically immediately pushed to the subscribers and messages and events are interchangeable terms in Pub sub all right and so you know the idea here with Publisher subscribers just imagine getting like a um a magazine subscription right if you think of that you kind of think of the mechanisms that are going here in terms of practicality it's very common to use these as a real-time chat system or a web hook system so you know hopefully that gives you an idea there in terms of aws's solution we're using simple notification service SNS this is a highly available durable secure fully managed Pub sub messaging service that enables you to decouple microservices distributed systems and serverless applications so here we have a variety of Publishers like the SDK the CLI cloudwatch Aid with Services you'll have your SNS topic you can uh filter things fan them out and then you have your subscribers so Lambda sqs emails PS looks very similar to streaming but again you know um you know there's not a lot of communication going back between it it's just Publishers and subscribers and it's limited to you know these things here so it's a very managed service right whereas uh Kinesis you can do a lot more with it [Music] okay so what is API Gateway well it is a program that sits between a single entry point and a and multiple backends API Gateway allows for throttling logging routing logic or formatting of the requests and response when we say request and response we're talking about https uh requests and responses and so the service for ads is called Amazon API Gateway so API Gateway is just a type of pattern and this is the few cases where ADS has named the thing after what it is and so we have Amazon API Gateway which is a solution for creating secure apis in your Cloud environment at any scale create apis that act as a front door for applications to access data B is logic or functionality from backend services so the idea is that you have data coming in from uh mobile apps web apps iot devices and you actually Define the API calls and then you say where do you want them to go so maybe tasks are going to go to your lambdas um and then other routes are going to go to RDS Kinesis ec2 uh or your web application and so these are really great for having um this uh being able to Define your API routes and change them on the Fly and then and always route them to the same place [Music] okay so what is a state machine it is an abstract model which decides how one state moves to another based on a series of conditions think of a state machine like a flowchart and for AWS the solution here is AWS step function so coordinate multiple a Services into a servess workflow a graphical console to visualize the component of your application as a series of steps automatically trigger and track each step and retries when there are errors so your application executes in order as expected every time logs the state of each step so when things go wrong you can diagnose and debug problems quickly and so here's an example of using a bunch of um uh steps together on the uh the aabus step functions service and so you know this is generally applied for servess workflows but it is something something that is very useful in application integration [Music] okay so what is an event bus an event bus receives events from a source and routes events to a Target based on rules so I'll get my pen tool out here so we have an event it enters the event bus we have a rules tell it to go to the Target it's that simple and we have been seeing event buses in other things like uh streaming and uh Pub sub but Abus has this kind of event offering uh that is kind of high level it's called event bridge and it's a service event bus service that is used for application integration by streaming real-time data to your applications the service was formerly known as event Amazon cloudwatch events they gave it a renaming to give it uh a better um opportunity for users to know that it's there to use uh and they also extended its capabilities and so the thing is that a lot of AD services are always admitting events and they're already going into this bus and so if you utilize this service um it's it's a lot easier than having to roll your own thing uh with other services so Amazon event bridge will just Define an event bus so there is an event bus holds event data defines the rules on event bus to react to events you always get a default event for every single Aus account you can create custom event buses scope to multiple accounts or other adus accounts you have a SAS event bus scope to thirdparty SAS providers you have producers these are adus services that emit events you have events these are data emitted by Services they're jent objects that uh travel the stream Within the event bus you have partnered sources these are thirdparty apps that can emit events to event buses you have rules these determine what events to capture and pass to targets and then targets which are Ada services that consume events so yeah it's all just this great built-in um uh uh stuff that's going on here and so you know there there might be a case where you can use event bridge and save your time uh a lot of time and effort uh doing application integration okay hey this is Andrew Brown from exam Pro and we are taking a look at application integration services at a glance here so let's get through them so the first is simple notification service SNS this is a pub sub messaging system sends notifications via various formats such as plain text email https web hooks SMS text messages sqs and Lambda pushes messages which are then sent to subscribers you have sqs this is a queuing messaging system or service that sends a events to a queue other applications pull the queue for messages commonly used for background jobs we have step functions this is a state machine service it is it coordinates multiple a Services into a servess workflow easily share data among lambdas have a group of lambdas wait for each other create logical steps also works with fargate tasks we have event Bridge formerly known as cloudwatch events it is a service event bus that makes it easy to connect applications together from your own application third party services and adus services then there's Kinesis a real realtime streaming data service creates producers which send data to a stream multiple consumers can consume data within a stream used for real-time analytics clickstreams ingesting data from a fleet of iot devices you have Amazon mq this is a manage message broker service that uses aachi active mq so if you want to use aachi active mq there it is manage kofka service and this gets me every time because it says msk and that is the proper initialization but you'd think it'd be MKS it is a fully managed Apachi Kafka service Kafka is an open source platform for building realtime streaming data pipelines and applications similar to conis but more robust very popular by the way we have API Gateway a fully managed service for developers to create publish maintain Monitor and secure apis you can create API endpoints and rote them to ad Services we have appsync this is a fully managed graphql service graphql is an open source agnostic query adapter that allows you to query data from many different data sources so there you [Music] go hey this is Andrew Brown from exam Pro and we are comparing virtual machines to Containers so I know we covered this prior but I just want to do it one more time just to make sure that we fundamentally understand the difference before we jump into containers so the idea is that if you were to request an ec2 instance it has a host operating system that we don't really know much about but we don't really need to know uh and then the idea is you have a hypervisor which allows you to deploy virtual machines and so when you launch an ec2 instance you're actually launching a VM on top of a hypervisor on a server uh with on uh within the adabs uh data centers servers there and you're going to choose an operating system so like Ubuntu and it might come with some pre-installed packages or you're going to install your own libraries packages and binaries and then you're going to decide what kind of workloads you want to run on there so it could be D Jango uh mongodb so your database and some kind of queing system like rabit mq the difficulties with virtual machines you're always going to end up with some unused space because you're going to want to have some Headroom uh to make sure that uh you know if you know Dango needs more memory or or mongod DB needs more storage that you have that room that you can grow into but the idea is that you're always paying for that even when you're not utilizing it and so you know that can be uh not as cost effective as you'd like it to be so when we're looking at um doing this again and we are using containers um instead of the provisor we have container virtualization a very common one would be called Docker Damon for Docker of course and so now you're launching containers and so maybe you have Alpine and this is for your web app and then you install exactly the libraries packages and binaries you need for that and then for uh mongodb you want to have a different OS different packages and same thing with Rabbid mq maybe you want to run it on FreeBSD and the idea is that uh you know you're not going to have this waste because it it's kind of changed the sense that these containers are Flex ible so they can expand or decrease based on the the use case of what they need uh and you know if you use particular services like ad fargate you know you're paying like for running the containers not necessarily uh for uh over provisioning okay so VMS do not make best use of space apps are not isolated which could cause uh config conflict security problems or resource hogging containers allow you to run multiple apps which are virtually isolated from each other launch new containers configure OS uh dependencies per container [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the concept of microservices and to understand microservices we first need to understand monoliths or monolithic architecture and the idea here is that we have one app which is responsible for everything and the functionality is tightly coupled so I'm going to get my pen tool out here and just to highlight notice that there is a server and everything is running on a single server whether it's load balancing caching the database um maybe the marketing website the front-end JavaScript framework the back end with its API uh the uh orm connected to background tasks things like that and that's the idea of a monolith and that's what um a lot of people are used to doing but the idea with microservice architecture is that you have multiple apps which are responsible for one uh one thing and the functionality is isolate and stateless and so just by uh leveraging um various cloud services or bolting it onto your service um you know you are technically using microservice architecture so maybe your web app is all hosted in containers so you have your apis your or your orm your reports maybe you've abstracted out some particular functions into Lambda functions you have your um marketing website hosted on S3 you have your frontend JavaScript hosted on S3 You're Now using elastic load balancer uh elasticache RDS sqs and that's the idea between monoliths and microservices [Music] okay let's take a look here at kubernetes which is an open-source container orchestration system for automating deployment scaling and management of containers it was originally created by Google and now maintained by the cloud native Computing foundation so the cncf kubernetes is commonly called K8 the 8 represents the remaining letters for kuti which is odd because everyone calls it kues with the S on there but that's just what is the advantage of kubernetes over Docker is the ability to run containers distributed across multiple VMS a unique component of kubernetes are pods a pod is a group of one or more containers with with shared storage network resources and other shared settings so here is kind of an example where you have your kubernetes master it has a schedule controller etcd you might be using it uses an API server to run nodes within the nodes we have pods and within the pods we have containers kubernetes is ideally for microservice architectures where company has tens to hundreds of services they need to manage I need to really emphasize that tens to hundreds of services all right so you know crion is great but just understand that it is really designed uh to be used for massive amounts of microservices if you don't have that need you might want to look at something just easier to use [Music] okay all right let's take a look here at docker which is a set of platforms of service products that use OS level virtualization to deliver software in packages called containers so Docker was the earliest popularized open source container platform meaning there's lots of tutorials there's a lot of services that uh integrate with Docker or make it really easy to use and so when people think of containers they generally think of Docker there's of course a lot more options out there than Docker to run containers but this is what people think of and so we said it's a suite of tools so the idea is you have this Docker CLI so these are C commands to download upload build run and debug containers a Docker file a configuration file on how to provision a container Docker compose uh which is a tool and configuration file when working with multiple containers Docker swarm an orchestration tool for managing deployed multicontainer architectures Docker Hub a public online repository for containers published by the community for download and one really interesting thing uh that came out of Docker was the open container initiative oci which is an open governance for creating open industry standards around container formats and runtimes so Docker established the O oci and it is now maintained by the Linux foundation and so the idea is that you can write a Docker file or or do things very similarly and use different types of um uh technologies that can use containers as long as they're oci compatible you can use them so Docker has been losing favor with developers due to their handling of introducing a paid open source model and Alternatives like podman are growing and that's why we're going to talk about podman next [Music] okay so let's take a quick look here at podman which is a container engine that is oci compliant and is a drop in replacement for Docker I just want to get you exposure here because I want you to know about this um and that you can uh use it as opposed to using Docker um there are a few differences or advantages that podman has so podman is Damon list where Docker uses a container D Damon pman allows you to create pods like crew brunetes where Docker does not have pods podman only replaces one part of Docker podman is is to be used alongside builda and uh scopio so you know Docker is an all-in-one kind of tool uh everything is done via single CLI and everything is there but you know they just wanted to make it more module and so uh these other tools anytime you say podman it usually means we're talking about podman builda and scopio so builda is a tool used to build the oci images and scopio is a tool for moving container images between different types of container storages p is not going to show up in your exam but you should practically know it um just for your own benefit [Music] okay let's take a look here at the container services offered on AWS so we have primary services that actually run containers provisioning and deployment on you know tooling around provisioning deployment and supporting services so the first here is elastic container service ECS um and the advantage of this service is that it has no cold starts but it is a manage dc2 so that means that you're going to be always paying for the resource as it is running all right then you have ads fargate so this is more robust than uh using adus Lambda it can scale to zero cost um and it's uh being managed by adus managed ec2 however it does have cold starts so you know if you need containers launching really fast you might be wanting to use ECS then you have elastic kubernetes service eks this is uh open source it runs kubernetes um and this is really useful if you want to avoid vendor lockin um which is not really a problem but uh that or it's just you want to run kubernetes then you have itus Lambda so you only think about the code uh it's designed for short running tasks uh if you need something that runs longer you want to use that is serverless you'd use adus fargate which is serverless containers you can deploy custom containers so prior adus Lambda just had um pre-built run times which were containers but now you can create any kind of container and uh use that uh on a was Lambda for provisioning deployment you can use elastic Bean sock so um it can uh deploy elastic container service for you um which is very useful there now there's app Runner which kind of overlaps on what elastic beanock does but it specializes it specializes for containers um and I believe that it can actually I don't know what it uses underneath because it is a managed service so elastic beanock is um open you can see what is running underneath an app Runner I don't believe you can see what is running underneath it's just taken care of by AWS then there's AWS co-pilot CLI so this allows you to build release operate production ready containerize applications on app Runner ECS and Abus fargate for supporting services you have elastic container registry this is reple for your containers not necessarily just Docker containers but containers in general probably oci compliant containers x-ray so analyze and debug between uh microservices so you know it's distributed tracing then you have step functions so stitch together lambdas and ECS tasks to to uh create um um a state machine and the only thing I don't have on here would be you know being able to launch an ec2 instance from the marketplace that has um a uh a container runtime installed like Docker um I just don't feel that that's very relevant for the exam but it is another option for containers not something that people do very often but there you [Music] go hey this is Angie Brown from exam Pro and we are taking a look here at organizations and accounts so adus organizations allow the creation of new adus accounts and allows you to centrally manage billing control access compliance security and share resources across your adus accounts so here's kind of a bit of a structure of um the architecture of adus organizations and we'll just kind of walk through the components so the first thing you have is a root account user this is a single signin identity that has complete access to all ad services and resources in an account and each account has a root account user so generally you will have a master or root account and even within that you'll have a root account user and for every additional account that you have you'll notice over here we have a root account user then there's the concept of organizational units uh these are commonly abbreviated to ous so they are a group of adus accounts within an organization which can contain other organizational units creating a hierarchy so here is one where we have called Starfleet and here's one called Federation planets and underneath we have multiple accounts it accounts within that organizational unit and even though it does not show it here you can create an organizational unit within an organizational unit then we have service control policies scps and these give uh central control over the allowed permissions for all A's accounts in your organization helping to ensure your accounts stay within your organization's guidelines what they're trying to say here is that um there's this concept of adus I am policies and all you're doing is you're creating a policy that's going to be uh organizational uniwide or organizational wide or for select accounts so it's just a way of applying I am policies across multiple accounts adus organizations must be turned on and once it's turned on it cannot be turned off it's generally recommended that you do turn it on um because basically when if you're going to run any kind of serious workload you're going to be using adus organizations to uh isolate your adus accounts based on workloads you can create as many adus accounts as you like One account will be the master or root account um and I say root account here because this is the new language here and some of the documentation still calls it master account so do understand this is the root account not to be confused with the root account user so another clarification I want to make is an ads account is not the same as a user account which is another thing that is confusing so when you sign up for AWS you get um an adus account and then it creates you a user account which happens to be a root user account so hopefully that is clear [Music] so adus control tower helps Enterprises quickly set up a secure adus multic count it provides you with a baseline environment to get started with a multi-count architecture so it does this a few uh a few different ways the first thing is it provides you a landing Zone this is a baseline environment following well architected and best practices to start launching production ready workload so imagine you wanted to go have um you know the perfect environment that you know sec cure um is correctly configured and has good logging in place that's what a landing zone is and so 's Landing zone for control tower is going to have SSO enabled by default so it's very easy to move between it accounts it will have centralized logging for adus cloud trail so that you know they're going to be tamper evident or tamper proof away from your workloads where they can't be affected it'll have cross account security auditing um so yeah Landing zones are really great to have then there's the account Factory they used to call this um uh a vending machine but uh they changed it to account Factory the idea is that it automates provisioning of new accounts in your organization it standardizes the provisioning of new accounts with pre-approved account configuration you can configure account Factory with pre-approved network configuration and region selections uh enable sell service for your Builders to configure and provision to accounts using a service catalog a service catalog is just preapproved uh workloads uh via Cloud information templates that you created to say okay you're allowed to launch This Server these resources um and the third and most important thing that a control tower comes with is guard rails so these are prepackaged governance rules for security operations compliance the customers can select and apply Enterprise wide or to specific groups of accounts so adus control tower is the replacement of the retired adus Landing zone so if you remember adus Landing zones which was never a self- serve easy thing to sign for it required a lot of money and uh stuff to go in there they just don't really have it anymore and it was control Tower is the new offering um there [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at 's config and to understand adus config we need to know what compliance as code is and to understand compliances code we need to understand what change management is so change management in the context of cloud infrastructure is when we have a formal process to monitor changes enforce changes and remediate changes and compliance is code also known as CAC is when we utilize programming to automate the monitoring enforcing and remediating changes to stay compliant with the compliance program or expected configuration so what is adus config well it's a compliances code framework that allows us to manage change in your adus accounts on a per region basis meaning that you have to turn this on for every region that you need it for and so here is a very simple example where let's say we create a config rule and we have an ec2 instance and we expect it to be in a particular State and then in the other case we have a an RDS instance and it's in a state that we do not like so the idea is that we try to remediate it to put it in the state that we want it to be and those config rules are just powered by lambdas as you can see based on the Lambda icon there so when should you use itus config well this is when I want this resource to say configured a specific way for compliance I want to keep track of configuration changes to resources I want a list of all resources within a region and I want to use uh analyze potential security weaknesses and you need detailed historical information so there you [Music] go hey this is Andre Brown from exam Pro and in this follow along we're going to take a look at adus config so adus config is a tool that allows you to ensure that your services are configured as expected so I've already activated it in my North Virginia region so what I'm going to do is just go over to Ohio here uh because it is per region activated and I'll go over to config and then what we'll have to do is set it up so there is this oneclick setup and it did Skip me to the review step because it's kind of piggybacking on the configuration of my original one here but the idea is that you'll just say uh record all resources in this region or things like that you'll have to create a service roll link if you have not done so so this will look a little bit different but here it's using existing one you'll have to choose a bucket so or create a bucket uh it's not super complicated so you get through there you hit confirm and basically you're going to end up with this so the inventory um lets you see all the the resources that or not all of them but most resources that are in your adus account in this particular region it this will not populate uh right away so you will have to wait a little bit of time for that to appear one really nice thing our conformance packs I really love these things when any of us first brought these out there was only like a couple but now they have tons and tons and tons of conformance packs so you can go deploy a conformance pack and you can open up the templates I just want to show you look at how many they have so there some you might recognize like nist uh CIS things like that well architected uh stuff and all these are um and I'm not sure if it's easy to open these up but all these are if we open them up they're on GitHub is these are just cloudformation templates to set up configuration rules so there's a variety of suggested rules uh like around IM best practices and things like that that we can load in um but the idea is that you're just going to create rules so you go here and you add a rule and they have a bunch of manag rules here um that we can look at but I think it might be fun to actually run a um a conformance pack I'll just show you what it looks like to add a rule first so let's say we wanted to do something for S3 um and it was making sure that we are blocking Public Access so we go next here generally you'll have a trigger type you can choose whether it's uh configured when it happens or it's periodic this is disabled in this case here and you just scroll on down um and then once you've added the rule what you can do is also manage remediation so if this rule said hey this thing is non-compliant we want you to take a particular action and you have all these databus actions that you can perform and you can notify the right people to correct it or have it auto correct if you choose to do so um for rules you can also make your own custom one so that's just you providing your own Lambda functions you're providing that Lambda Arn and so basically you can have it do anything that you want whatever you want to put in a Lambda you can make adus config check for okay so it's not super complicated here but um this one here is just going to go ahead and check and so if we go and re-evaluate it might just take some time to show up either going to say that it's compliant or non-compliant okay and I it should be compliant but while we're waiting for that to happen let's just see how hard it is to deploy a conformance pack because I feel like that's something that's really important oh you can just drop them down and choose them that's great so we might want to go to I am here oops identity and access management and hit next and say uh my um uh I am best practices and you might not want to do this because it does have spend and when I say spend it's not going to happen instantly but the idea is that if you turn this on and forget to remove it uh you will see some kind of charges over time because it does check check based on the rules it's not super expensive but it is something to consider about um but anyway so it looks like we created that conformance pack so if I refresh it looks like it's in progress I wonder if that's going to set up a cloud formation template I'm kind of curious about that so we'll make our way over to cloud formation and it is so that's really nice because once that is done what we can do is just tear it down by deleting the stack so I'm going to go back over to our conformance pack here let's take a look here and so it still says it's in progress but it is completed and we can click into it and we can see all the things that it's doing so it says item groups have user check informance pack um and so it looks like there's a bunch of uh cool rules uh here so what we'll do is we'll just wait a little while and we'll come back here and then just see if um this updates and see how compliant we are from a uh a basic account okay all right so after waiting a little while there it looks like some of them are being set so I just gave it a hard refresh here uh and here you can see that it's saying is rooe account um whoops we'll give it a moment here to refresh but uh is the root account MFA applied yes have we done a password policy no and actually I never did a password policy which is something I forgot to do but here they're just talking about the minimums and maximums of things that you can do okay so that's a conformance pack um but if we go to rules actually I guess it's all the rules here I can't really tell the difference between the conformance pack rules and our plane rules kind it's kind of all mixed together here I think yeah so it's a bit hard to see what's going on there if we go to the performance pack and click in again it might show the rules yeah there we go so here's the rules there we're seeing a little bit more information so use a hardware MFA so you know how they're talking about using a security key like what I showed you that I had earlier in the course things like that um I am password policy things like that so you know not too complicated but um I think I'm all done here so what I'm going to do is I'm going to go over to cloud formation and tear that on down but you get the idea well I might want to show you uh drift so there used to be a way it's CU I keep changing things on me here but there's a way to see uh history over time and so that was something that they used to show and I'm just trying to like find where they put it because it is like somewhere else resources maybe ah resource timeline okay so they moved it over into the resource inventory and so if we were to take a look at something anything maybe this here resource timeline um and there might not be much here but the idea is it will show you over time how things have changed so the idea is that not only can you say with a was config is something compliant but when was it compliant and that is something that is really important to know okay so very simple example maybe not the best but the idea is that we can see when it was and was not compliant based on uh changes to our stuff but uh anyway that looks all good to me here so I'm going to make my way over to cloud formation actually already already have it open over here we're going to go ahead and delete that stack um termination protection is enabled you must first disable it so we'll edit it disable it whatever okay we'll hit delete there and as that's deleting I'm going to go look for and config my original rule there again I'm not really worried about it I don't think it's going to really cost me anything but uh I also just kind of clear the house here just so you're you're okay as well and so if we go over to our rules um the one that I spun up that was custom I think was this one here CU these are all grayed out right so I can go ahead there delete that rule type in delete and we are good so there you go that is it all right [Music] adabs quick starts are pre-built templates by adabs and adus partners to help deploy a wide range of stacks it reduces hundreds of manual uh procedures into just a few steps the uh quick start is composed of three parts it has a reference architecture for the deployment an adus cloud formation templates that automate and configure the deployment a deployment guide explain the architecture implementation and detail so here's an example of one that you might want to launch like the adus Q&A bot and then you will get an architectural diagram and a lot of information about it and from there you can just go press the button and launch this infrastructure most quick start reference deployments enable you to spend up a fully functional architecture in less than an hour and there is a lot as we will see here when we take a look for [Music] ourselves all right so here is uh adabs quick starts where we have a bunch of cloudformation templates uh built by adabs or Amazon or for adab best partner networks APM partners and uh there's a variety of different things here so I'm just going to try to find something like Q&A bot Q&A bot just type in bot here and I don't know why it was here the other day now it's not showing up which is totally fine but um you know I just want anything to deploy just to kind of show you what we can do with it so you scroll on down we have uh this graphic here that's representing what will get deployed so we have cloudfront S3 Dynamo DB assistance manager Le poly all these kind of fun stuff um and there's some information about how it is architected and the idea is you can go ahead and launch in the console or view the implementation guide let's go take a look here um and there's a bunch of stuff so we have Solutions and things like that conversational things like that but what I'm going to do is go ahead and see how far I can get to launching with this it doesn't really matter if we do launch it it's just the fact that um I want to just show you what you can do with it so if we go to the designer it's always fun fun to look at it in there because then we can kind of visualize all the resources that are available and I thought that that would populate over there but maybe we did the wrong thing so I'm just going to go back and click I'm just going to click out of this oops cancel let's close that leave yes and we will launch that again and so this oh View and the designer I hit the wrong button okay and so now this should show us the template might just be loading there we go so this is what it's going to launch and you can see there's a lot going on here just going to shrink that there uh and I don't know if you can make any sense of it but clearly it's doing a lot and so if we were happy with this and we wanted to launch it I know I keep backing out of this but we're going to go back into it one more time we can go here and we can go next and then we we would just fill in what we want so you name it put the language in and this is stuff that they set up so maybe you want a mail voice set the ab in and stuff like that and it's that simple really um and every stack is going to be different so they're all going to have different configuration options but hopefully that gives you kind of an idea of what you can do with quick starts [Music] okay let's take a look at the concept of tagging within AWS so a tag is a key and value pair that you can assign to aabus Resource so as you are creating a resource it's going to prompt you to say hey what tags do you want to add you're going to give a key you're going to give a value and so some examples could be something like based on Department the status the team the environment uh the project as we have the example here the location um and so tags allow you to organize your resources in the following way for resource management so specific workload so you can say you know developer environments cost management and optimization so cost tracking budgets and alerts operations management so business commitments SLA operations Mission critical Services security so classification of data security impact governance and Regulatory Compliance automation workload Automation and so it's important to understand that tagging can be used in Junction with um IM policy so that you can restrict access or things like that based on those tags [Music] okay all right I just want to show you one interesting thing about tags um and it's just the fact that it's used as the name for some services so when you go to ec2 and you launch an instance uh the way you set the name is by giving it a tag called name and I just want to prove that to you just like one of those little exceptions here so we choose an instance here we go to configure storage and then what we do is we add a tag and we say name um and my server name okay and then we go ahead and review and launch we're going to launch this I don't need a key pair so we'll just say proceed without key pair I acknowledge okay and we will go view the instances and you'll see that is the name so um that's just like one of those exceptions or things that you can do with tags if there's other things with tags I have no idea that's just like a a basic one that everybody should know and that's why I'm shown to you with the tags but there you go so we just looked at tags now let's see what we can do with resource groups which are a collection of resources that share one or more tags or another way to look at it it it's a way for you to take multiple tags and organize them uh into resource groups so it helps you organize and consolidate information based on your project and the resources that you use resource groups can display details about a group of resources based on metrics alarms configuration settings and in any any time you can modify the settings of your resource groups to change what resources appear resource groups appear in the global console header uh which is over here and under the systems manager so technically it's part of AD simple systems manager or systems manager interface but it's also part of the global interface so sometimes that's a bit confusing but uh that's where you can find it [Music] okay all right so what I want to do is explore resource groups and and also um tagging so what I want you to do is type in resource groups at the top here and it used to be accessible not sure where they put it but it used to be accessible here at the top but they might have moved it over to systems manager so I'm going to go to SSM here not sure why I can't seem to find it today and on the left hand side we're going to look for resource groups for for for all right so what I want to do is take a look at resource groups and I'm really surprised because it used to be somewhere in the global now but I think they might have changed it um and what's also frustrating is if I go over to systems manager it was over here as well and so on the left hand side I'm looking for resource groups it's not showing up so I don't know best you keep moving things around on me and I'm I can only update things so quickly in my courses but if you type in resource groups and tag editor it's actually over here um I guess it's its own Standalone service now why they keep changing things I don't know but uh the idea is we want to create a resource Group so you can create unlimited single region groups in your A's account use the group to view related insights things like that so I'm going to go ahead and create a resource Group you can see it can be tag based or cloud formation based but I don't have any tags I don't really have anything tags so what I'm going to do is make my way over to S3 we're just going to create some resources or a couple resources here with some tags so that we can do some filtration so I can go ahead and create a bucket going say my bucket uh this like that whoops and then down below I'm going to go down to tags and we're going to say project and we're going to say um RG for Resource Group okay and then I can go back over here and then I'm going to just say I can say exactly what type I want I'm going to support all resource types and I'm going to say project RG see how it autocompletes and we'll go down below we'll just say my RG a test RG we'll create that and so now we have a resource Group and we can see them all in one place uh resource groups are probably useful for using in um policies so I can say say like Resource Group IM policies that's probably what they're used for okay so before you use IM am manag to access resource groups you should understand IM am features things like that and so administrators can use Json policies to specify who has access to what and so a policy action a resource Group is is used following the prefix resource groups so my thought process there is that if you want to say okay you have access to a resource you can just specify a resource Group and it will include all the resources within there and so that might be um a better way to apply permissions at a per project basis um and that could save you a lot of time writing out IM policies so that's basically all there really is to it also you kind of get an overview of of the resources that are there so that can be kind of useful as well there's the tag editor here I can't remember what you use this for you can set up tag policies um tag policies help you standardize tags on resource groups in your accounts used uh to Define tag policies and Abus or to attach them to the entire organization um we're not in the OR account so I'm not going to show you this and it's not that important um but just understand that resource groups can be created and they are used within IM policies in order to um uh Grant or deny access to stuff you go ahead and delete that Resource Group and really ad stop moving that on me if you move it one more time I'm just never going to talk about resource groups again [Music] okay hey this is Andie Brown from exam Pro and we are taking a look at business Centric services and you might say well why because in the exam guide It's explicitly says that these are not covered but the thing is is that when you're taking the exam some of the uh choices might be some of these Services as distractors and if you know what they are it's going to help make sure that you um uh guess correctly and the thing is that some of these services are useful and you should know about them so that's another reason why I'm talking about them here so the first one is Amazon connect this is a virtual call center you can create workflows to Route callers you can record phone calls manage a queue of callers based on the same proven system used by Amazon customer service teams we have workspaces this is a virtual Remote Desktop Service secure manage service for provision either windows or Linux desktops in just a few minutes which quickly scales up to thousands of desktops we have work docs which is a shared collaboration service a centralized storage to share content in files it is similar to Microsoft SharePoint think of it as a shared folder where the company has ownership we have chime which is a video conference service it is similar to zoom or Skype you can screen share have multiple people on the on the same call it is secure by default and can show you a calendar of upcoming calls we have workmail this is a manag business uh email contacts calendar service with support of existing desktop and mobile email client applications that can handle things like IMAP similar to Gmail or exchange we have pinpoint this is a marketing campaign Management Service pinpoint is for sending targeted emails Via SMS push notifications voice messages you can perform um A to B testing or create Journey so complex email response workflows we have SCS this is a transactional email service you can integrate SCS into your application to send emails you can create common templates track open rates keep track of your reputation we have quick site this is a business intelligence uh service connect multiple data sources and quickly visualize data in the form of graphs with little to no knowledge definitely you want to remember quick site sces pinpoint uh because those definitely will show up in the exam the rest probably not but they could show up as distractors [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at provisioning services so let's first what is provisioning so provisioning is the allocation or creation of resources and services to a customer and provisioning services are responsible for setting up and managing those Ada Services we have a lot of services that do provisioning most of them are just using cloud formation underneath which we'll mention here but let's get to it the first is elastic beanock this is a platform as a service to easily deploy web apps EB will provision various a services like ec2 S3 SNS cloudwatch E2 Auto scaling groups load balancers uh and you can think of it as the Heroku equivalent to AWS then you have opsworks this is a configuration Management Service that also provides managed instances of Open Source configuration managed software such as chef and p puppet so you'll say I want to have a load balancer or I want to have servers and it will provision those for you uh indirectly then you have Cloud information itself this is an infrastructure modeling and provisioning service it automates the provisioning of AD Services by writing Cloud information templates in either Json or yaml and this is known as IAC or infrastructures a code you have quick starts these are pre-made packages that can uh be launched and configure your a compute network storage and other services required to deploy a workload ons we do cover this in this course but quick starts is basically just Cloud information templates that are authored by the community or um by um Amazon partner Network okay then we have abis Marketplace this is a digital catalog for thousands of software listings of independent software vendors that you can use defined by intes and deploy software so the idea is that um you know you can go there and provision whatever kind of resource you want we have Abus amplify this is a mobile web app framework that will provision multiple Abus Services as your backend it's specifically for serverless services I don't know why I didn't write that in there um but you know like Dynamo DB um things like uh whatever the graphql service is called API Gateway things like that uh then we have app Runner this is a fully managed service that makes it easy for developers to quickly deploy containerized web apps and apis at scale with no prior information experience required it's basically a platform as a service but for containers we have AIS co-pilot this is a command line interface that enables customers to quickly launch and manage containerize applications any us it basically is a a CLI tool that sets up a bunch of scripts to set up pipelines for you makes things super easy we have Adis code start this provides a unified user interface enabling you to manage your software development activities in one place usually launch common types of stacks like lamp then we have a cdk and so this is infastructure as a code tool allows you to use your favorite programming language generates out Cloud information templates as a means of I so there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at ad elastic beant stock before we do let's just Define what passes so platform as a service allows customers to develop run and manage applications without uh the complexity of building and maintaining the infrastructure typically associated with developing and launching an app and so elastic beanock is a pass for deploying apps with little to no uh knowledge of the underlying infrastructure so you can focus on writing application code instead of setting up an automated deployment pipeline or devops tasks the idea here is you choose a platform upload your code and it runs with little uh knowledge of the infrastructure and adabs will say that it's generally not recommended for production apps but just understand that they are saying this for Enterprises and large companies if you're a small to medium company you can run elastic beanock for quite a long time it'll work out great elastic beanock is powered by Cloud information temp templates and it sets up for you elastic load balancer asgs RDS ec2 instances preconfigured for particular platforms uh monitoring integration with cloudwatch SNS uh deployment strategies like in place blue green uh deployment has security built in so it could rotate out your passwords for your databases and it can run dockerized environments and so when we talk about platforms you can see we have Docker multicontainer Docker uh go.net Java nodejs Ruby PHP python tom cat go a bunch of stuff and just to kind of give you that architectural diagram to show you that it it can launch of multiple things [Music] okay hey it's Andre Brown from exam Pro and in this follow along we're going to learn all about elastic beanock maybe not everything but we're going to definitely know how to at least um use the service so elastic beanock is a platform as a service and what it does is it allows you to uh deploy web applications very easily so here I've made my way over to elastic beanock I mean environment and app and then we set up our application we have two tiers a web server environment a worker environment worker environment is great for long running workloads performing uh background jobs and things like that and then you have your web server which is your web server and you can have both and it's generally recommended to do so um but anyway what we'll do is create a new application so let's say my app here and uh there's some tags we can do and then it will name based on the environment then we need to choose an environment name so say my environment and just put a bunch of numbers in there hit the check availability scroll on down and we have two options manage platform custom platform and I'm not sure why custom is blanked out but it would allow you to um it would allow you to I think use your own containers so I'm a big fan of Ruby so I'm going to drop down to Ruby and here we have a bunch of different versions and so 2.7 is pretty pretty new which is pretty good and then there's the platform version which is fine and the great thing is it comes with a sample application now you could hit create environment but you'd be missing on a lot if you don't hit this configure more options I don't know why they put it there it's a not very good UI but um if you click here you actually get to see everything possible and so up here we have some presets where we can have a single instance so this is where it's literally running a single E2 instance so it's very cost effective you can have it with spot uh spot pricing so you save money um there's High availability so you know if you want it set up with a load balance an auto scaling group it will scale very well or you can do custom configuration we scroll on down here you can enable Amazon x-ray you can rotate out logs you can do log streaming um there's a lot of stuff here and basically it's just like it sets up most for you but you can pretty much configure what you want as well if we had the load bouncer set if I go here go to High availability now we'll be able to change our load balancer options you have different ways of deploying so you can go here and and then change it from all at once rolling immutable traffic splitting depends on what your use case is um we can set up a key pair to be able to log into the machine there's a whole variety of things you can connect your database as well so it can create the database alongside with it and then it can actually rotate out the key so you don't have to worry about it which is really nice what I'm going to do is go to the top here and just choose a single instance because I want this to be very cost- effective we're going to go ahead and hit create environment and so we are just going to wait for that to start up and I'll see you back when it's done okay okay so it's been uh quite a while here and it says a few minutes so if it does do this what you can do is just give it a hard refresh I have a feeling that it's already done is it done yeah it's already done so and here it says on September 2020 elastic be talk Etc default default I don't care um but anyway so this application I guess it's in a pending State um I'm not sure why let's go take a look here causes instance has not sent any data since launch uh none of the instances are sending data so that's kind of interesting because um I shouldn't have any problems you know what I mean so what I'm going to do is just reboot this machine and see if that fixes the issue there but usually it's not that difficult because it's the sample application it's not up to me um as to how to fix this you know what I mean so I'm not sure but um what we'll do is we will let the machine reboot and see if that makes any difference okay all right so after rebooting that machine now it looks like the server is healthy so it's not all that bad right if you do run into issues that is something that you can do and so uh let's go see if this is actually working so the top here we have a link and so I can just right click here it says congratulations your first 8us elastic uh beanock Ruby application is now running so it's all in good shape um there's a lot of stuff that's going on here in elastic beanock that we can do uh we we can go back to our configuration and change any of our options here so there's a lot of stuff as you can see uh we get logging uh so click the request log so if we click on this and say last 100 lines we should be able to get uh logging data we have to download it I wish it was kind of in line but here you can kind of see what's going on so we have STD access logs error logs Puma logs elastic beam stock engine so you could use that to debug very common to take that over to uh support if you do have issues uh for Health it monitors the health of the instances which is great then we have some uh monitoring uh data here so it gives you like a built dashboard so that's kind of nice you can set up alarms um you have not defined any alarms you can add them via the monitoring dashboard so I guess you'd have to you'd have to somehow add them um I don't think I've ever added alarms for um classic beanock but it's nice to know that they have them you can set up schedules for managed events then this is event data so it's just kind of telling you it's kind of like logs it just tells you of things that have changed so there's stuff like that what I'm looking for is to see how I can download the existing application because there's a version uploaded here oh the source is over here okay so I think it's probably over here the one that's running so that's it if it was easy to find what I probably would do is just modify it and oh yeah it's over here so if we go here and download the zip I wonder if it'd be even worth um playing with this so let's I'm just going to see if we can go over to Cloud9 and give this a go quickly so if we go over and launch a Cloud9 environment maybe we can tweak it and upload a revised version so we say create new we'll say EB um uh environment for elastic bean stock uh we'll set it all the defaults that's all fine it's all within the free tier we'll create that environment what I'm going to do is just take this uh Ruby zip file and move it to my desktop and as that is loading we'll give it a moment here I'm just going to go back and I was just curious does it let you download it directly from here no so only thing is that you know if you download that application elastic beanock usually has a configuration file with it and so I don't know if they would have given that to us but if they did that would be really great but we just have to wait for that to uh launch there as well I guess you can save configurations and roll back on those as well um but we will just wait a moment here while it's going I might just peek inside of this file to see what it is this ZIP contains just going to go to my desktop here open up that zip so it looks pretty simple it doesn't even look like a rails app it looks like maybe it's a Sinatra app I thought before that it would it would have deployed a Ruby on Rails application but maybe they keep it really simple um I don't see usually it's like yamell files they use for configuration I don't see that there so it might be that the default settings will work fine uh there's a king fig. Ru and stuff like that but once Cloud9 is up here we will upload this and see what we can do with it okay so there we go uh Cloud9 is ready to go and so if we right click here whoops right click here we should be up be able to upload a file if not we can go up here to the top or it's here or there where is the upload I've I've uploaded things in here so I absolutely know we can I just got to find it is that the upload upload files Cloud9 oh boy that's not helpful that's not helpful at all so let me just click around a little bit here I mean worst case I can always just bring it in Via a curl oh upload local files there it is I was just not um being patient okay so we'll drag that on in there and we will did it upload yep it's right there okay great so we need to unzip it so what I'll do is just drag this on up here I'll do an LS and we'll say unzip rubyzip and so that unzipped the contents there I think the readme was part of Cloud9 so I'm going to go ahead and delete that out not that it's going to hurt anything and so now what we can do and we'll delete the original original zip there um and let's see if we can make a change here so I'm just going to open up see what it is so yeah it's running Sinatra so that's pretty clear there we have a proc file to say how it runs we have a worker sample sample so that just tells how the requests go you don't need to know any of this I'm just kind of clicking through it because I know Ruby very well we have a cron yamel file so that could be something that gets loaded in here so I think basically a Sinatra app probably just works off the bat here but if we want to make a change we probably just make a change over to here so I'll go down here and this is your second ads elastic beanock application so the next thing we need to do is actually zip the contents here I don't know if it would let us zip it with in here but I'll have to look like Zip the contents of a directory Linux this goes to show Google is everything so the easiest way to zip a folder um zip everything in the current directory Linux okay that's easy so we'll go back over here and we will type in zip and it wants hyphen R for recursive which makes sense and then the name of the zip so um uh Ruby 2.zip and we'll do period zip warning found is who is zip oh uh yum install zip maybe we have to install uh ZIP but maybe it's not installed pseudo yum install zip since it's Amazon El 2 it uses yum and so package already installed so I'm going to type zip again so zip is there now great oops don't need to install twice zip warning Ruby 2 zip not found or empty okay so install zip and use zip hyphen R you can use the flag to best compensate so if that's not working what I'm going to do is just go up a directory why is it saying not found or [Music] empty maybe I need to use okay so I think the problem was is I was using the wrong flag so I put F instead of R I don't know why I did that so I probably should have done this okay and so that should have copied all the contents of that file so what I'm going to do is go ahead whoops make sure I have that select it and download that file and once I have downloaded that file I'm going to just open the contents to make sure it is what I expect it to be so we're going to open that up and whoops get out of here when RAR and it looks like everything I want so what I'm going to do is go back over to here I'm going to make sure I have my Ruby 2 on my desktop and we're going to see if we can upload another version here so upload and deploy choose the file we're going to go all the way to my desktop here and we're going to choose Ruby 2 and um like Ruby 2 will be the version name or we'll just say two and we'll deploy and we'll see if that works okay but there are like uh elastic be configuration files like gamble files that can sit in the root directory and so generally you're used to seeing them there but you know I imagine that a US probably engineered these examples so that it uses all the default settings but uh once this is deployed I'll see you back here in a moment okay after a short little wait it looks like it has deployed so what I'm going to do is just close my other tabs here and open this up and see if it's worked it says your second ads elastic being stock Ruby application so uh we were successful uh deploying that out which is really great so what we can do now is just close that tab there and uh since we have that cloud environment it will shut down on its own but you know just for your benefit I think that we should shut it off right now so go ahead and delete that I'm going to go back over to elastic beanock here and I just want to destroy all of it so we'll see if we can just do that from here terminate the application enter the name so I think we probably have to enter that in there and so I think that oh a problem occurred rate exceeded what that's AWS for you so it's not a big deal I would just go and check it again and maybe what we'll do is just delete the application first okay so that one is possibly deleting let's go in here is anything changing can't even tell we'll go ahead oh can't take that one out delete application again if it takes you a couple times it's not a big deal it's AWS 4 yes so there's a lot of moving parts so it looks like it is terminating the instance and so we just have to wait for that to complete uh once that is done we might have to just tear down the environment so I'll see you back here when it has finished tearing this down okay all right and so after a short little wait here I think it's been destroyed we'll just double check by going to the applications going to the environments yeah and it's all gone probably cuz I initially deleted that environment and then took the application with it so I probably didn't have to delete the app separately um but uh yeah so there you go and just make sure your Cloud9 environment's gone and you are a okay there'll probably be some like lingering S3 buckets so if you do want to get rid of those you can it's not going to hurt anything having those around uh but they do tend to stack up after a while which is kind of annoying so if you don't like them you can just empty them out as I am doing here whoops oh just permanently delete copy that text there we can go back to here and then just go take out that bucket let's delete that there oh if you get this this is kind of annoying but uh elastic beanock liks to put in an i permission or policy here so if you go down here there's a bucket policy you just have to delete it out it prevents it from being deleted and we'll go back over here and then we will delete it okay and yeah there we go that's [Music] it so let's take a look at serverless services on AWS and this is not including all of them because we're looking at the most purely serverless services uh if we tried to include all the serverless services it would just be too long of a list uh but let's take a look here so um before we do let's just redefine what is serverless so when the underlying servers infrastructure and operating system is taken care of by the CSP serverless is generally by default highly available scalable cost effective you pay for what you use the first one is Dynamo DB which is a serverless nosql key value and document database it's designed to scale to billions of records with guaranteed consistent data return in at least a second you do not have to worry about managing chards you have simple storage service S3 which is a seress object storage service you can upload very large and unlimited amounts of files you can pay for what you store you don't worry about the underlying file system or upgrading the disk size we have ECS fargate which is a servess orchestration container service is the same as ECS except you pay on demand per running container with ECS you have to keep a ec2 server running even if you have no containers running where adus manages the underlying server so you don't have to scale or upgrade the ec2 server we have adus Lambda which is a serverless function service you can run code without provisioning or managing servers you upload a small piece of code choose uh how much memory you want how long you want the function is allowed to run before timing out your charge based on the runtime of the service function rounded to the nearest 100 milliseconds we have step functions this is the state machine service it coordinates multiple Services into serverless workflows easily share data among lambdas have a group of lambdas wait for each other create logical steps also work with fargate tasks we have Aurora servus this is a serous on demand version of Aurora so when you want most of the benefits of Aurora but trade you have to trade off those cold starts or you don't have lots of traffic or demand so things Ser services that we could have put in here as well is like API Gateway Apps sync a amplify um and those are like the the first two were app Integrations you could say sqs SNS those are all serous services but you know again we'd be here all day if I I I list to the all [Music] right all right let's take a look at what is serverless and we did look at it from a server perspective earlier in the course but let's just try to abstractly Define it and talk about the architecture so serverless architecture generally describes fully managed cloud services and the classification of a cloud service being being serverless is not a Boolean answer it's it's not a yes or no but an answer on a scale where a cloud service has a degree of serverless and I do have to point out that this definition might not be accepted by um everybody because serverless is one of those uh terms where um we've had a bunch of different cloud service providers Define it differently and then we have thought leaders that have a particular concept of what it is so you know I just do my best to try to make this practical here for you but a serverless service could have all or most of the following characteristics and so it could be highly elastic and scalable highly available highly durable secure by default it abstracts away the underlying infrastructure and are build based on the execution of your business tasks a lot of times that uh that cost is not uh is not always represented as something that is like I'm paying X for compute it could be abstracted out into some kind of um credit that uh doesn't necessarily map to something physical then we have serus can scale to zero meaning when it's not in use the serverless resources cost nothing uh and these two last topics basically pull into pay for Value so you don't pay for idle servers you're paying for the value uh that your service provides and uh my friend Daniel who runs the serverless Toronto group he likes to describe serverless as being similar to like energy efficient rating so an analogy of serus could be similar to energy rating labels which allows consumers to compare the Energy Efficiency of a product so some services are more servoless than others and again you know some people might not agree with that where there's a a definitive yes or no answer but I think that's the best way to look at it [Music] okay hey it's Angie Brown from exam Pro and we're taking a look at windows on ads so adabs has multiple cloud services and tools to make it easy for you to run window workloads on ads so let's get to it so the first is Windows servers on ec2 so you can select from a number of Windows Server versions including the latest version like Windows Server 2019 uh for uh databases we have SQL server on RDS you can select from a number of SQL Server database versions then we have adabs directory service which lets you run Microsoft active directory ad as a managed service we have adus license manager which makes it easier to manage your software licenses from software vendors such as Microsoft we have have Amazon FSX for Windows file server which is a fully managed scalable storage built for Windows we have the ads SDK which allows you to write code in your favorite language to interact with adus API but it specifically has support forn net a language favorite for Windows developers we have Amazon workspaces so this allows you to run a virtual desktop you can launch a Windows 10 desktop to provide secure and durable workstations that is accessible from wherever you have an internet connection a Lambda supports power shell is a programming language to write your serverless functions and we have Aus migration acceleration program map for Windows is a migration methodology for moving large Enterprises it us has Amazon partners that specialize in providing Professional Services for map this is not just everything for Windows on AWS like if you want to move your SQL Server over to RDS postest I believe they've like they created an adapter to do that um but yeah hopefully that gives you an idea what you can do with windowss on AWS [Music] okay hey this is Andre Brown from exam Pro and I want to show you how you can launch a Windows uh server on AWS so what you're going to do is go to the top here and we are going to type in ec2 and from here uh what we'll do is we'll go ahead and launch ourselves a new ec2 instance and we are going to have um a selection of instances that we can launch and so we're looking for for the Microsoft Windows server and this is interesting there's actually a free tier eligible that is crazy because if you go over to Azure they don't have a free tier Windows Server does so that's pretty crazy um and it runs on a T2 micro no that can't be right there's no way it can run a T2 micro that seems like that's too small let's try it okay I just don't believe it because when you use Azure you have to choose a particular size of instance by default and it's a lot more expensive and there is no free tiar so we'll go here there are free tiar just not really for Windows in particular so we'll go here this looks good security groups this opens up RDP so we can get into that machine we're going to go next here and launch this machine says if you plan to use Ami the benefits the Microsoft license Mobility check out this form that's not something we're worried about today and I mean I guess we can create a key pair I'm not sure what we would use a key pair for here um for Windows Amis the private key file is required to obtain the password used to log into the instance okay so I guess we're going to need it so Windows key great we'll launch that instance and uh I'll see you back here when it launches but I just don't believe that it would launch that fast you know all right so after a short little wait here the server is ready and so let's see if we can actually go ahead and connect to this so I'm going to hit connect here and we're go over to rdb client so you connect to your windows instance using a remote desktop client of your choice and downloading and running the RDP shortcut below so I'm going to go ahead and download this and you're going to have to be on a um Windows machine to be able to do this or have an rdb client installed I think there's one for Mac that you can get from the Apple Store um but all I'm going to do is just double click the file so you probably can't see it here I'm just going to expand this trying to oh my computer is being silly but anyway there we go we moved it over there I'm just going to drag over here and just double click this image so you can see that I'm doing it I'm saying connect okay and it's going to ask for a password so I'm going to hope that I can just click that and get the password so to decrypt the password you will need your key PA instance you'll have to upload that and I don't know if I remember having to do that before but it's a great security measure so I'm fine with it I'm going to drag my key to my desktop so I can see what's going on there as well and we're going to go grab that and decrypt the password and so now um where's our password oh it's right here okay so we're going to grab that password there we will paste that in said okay say yes and see if we can connect to this instance and if this is running on a T2 micro I'm going to lose it because that is just cheap it just just doesn't seem possible to me because again on Azure you have to launch an instance with a lot of stuff and it just uh seems uh crazy what's also interesting is that iTab us uh on Windows like launches so fast it's unbelievable how fast these servers uh spin up and it's just very unusual but yeah so we are in here um it's not asking me to activate or anything so I guess there's already a Windows license here and um I'm not sure if there's any kind of like games installed like do we have mind sweeper can I play mind sweeper on here it's a data center server so I'm assuming not um but yeah so this is a Windows server and it's pretty impressive that this works I'm not sure if this is going to have an outbound connection here um just because we probably would have to configure it let just say okay I just I really don't think it's going to go to the Internet by default yeah so You' probably have to do some stuff you know oh no there we go so yeah we got to the Internet so it's totally possible but uh yeah that's about it that's all I really wanted to show you so what I'm going to do is just go back to ec2 and we're going to shut down the server here just expand that there and we will go here and we will terminate that instance good we'll give that a refresh that's shutting down and we are [Music] done hey this is Andrew Brown from exam Pro and we are taking a look at Abus license manager and before we do let's talk about what b y l or bring your own license mean so this is the process of reusing an existing software license to run vendor software on a cloud vendor Computing service byol allows companies to save money since they may have purchased the license in bulk or the time that provided a greater discount than if purchased again and so an example of this could be the license Mobility provided by Microsoft's volume licensing to customers with eligible server applications covered by the Microsoft software Assurance program uh and I don't know what I was trying to do there I guess maybe it's just essay and I missed the parentheses there on the end no big big deal um but Aus license manager is a service that makes it easier for you to manage your software licenses from software vendors centrally across ads in your on- premise environments ads license manager software uh that is licensed based on Virtual cores uh physical cores sockets or a number of machines this includes a variety of software products for Microsoft IBM sap Oracle and other vendors so that's the idea you say what is my license type it's it's bound to this amount of CPUs AAS license manager works with ec2 with dedicated instances dedicated hosts and even spot instances and for RDS there's only for Oracle databases so you can import that license for your Oracle server um just understand that um if you're doing Microsoft Windows servers or Microsoft SQL Server license you're generally going to need a dedicated host because of the Assurance program uh and this can really show up on your exam so even though a license manager works on dedicated instances and spot instances just try to gravitate towards dedicated hosts on the server or on the exam okay [Music] all right let's take a look at the logging services that we have available in AWS so the first one here is cloud trail and this logs all API calls whether it's SDK or the CLI so if it's making a call to the API it's going to get tracked between adaa services and this is really useful to say who can we blame who was the person that did this so who created this bucket who spent up that expense of vc2 instance who launched the stagemaker notebook um and the idea here is you can detect developer misconfiguration detect malicious actors or automate responses through the system then you have cloudwatch which is a collection of multiple Services I commonly say this is like an umbrella service because it has so many things underneath it so we have cloudwatch logs which is a centralized place to store your cloud services log data application logs metrics which represents a Time ordered set of data points a variable uh to monitor uh event Bridge or previously known as cloudwatch events triggers an event based on a condition so every hour take a snapshot of the server alarms triggers notifications based on metrics dashboards creates visualizations based on metrics and that's not all of the things that are under cloudwatch but those are the core five ones you should always know um absolutely there then we have adus x-ray this is for a distributed tracing system so you can use it to pinpoint issues within your microservices so you see how data moves from one app to another how long it took to move and if it failed uh to move forward [Music] okay let's take a close CL look here at Aus cloud trail because it's a very important service so it's a service that enables governance compliance operational auditing and risk auditing of your Aus account and the idea is that every time you make an API call it's going to show up as some kind of structured data that you can uh interact with or read through so abis cloud trail is used to monitor API calls and actions made on the AWS account easily identify which users and accounts made the call to AWS so you might have the WHERE so the source IP address the when the event time the who the user agent uh and the what the region resource in action so I'm just going to get my pen tool out here for a moment and just notice you have the event time so when it happened the source the name the region The Source IP address the user agent uh who was doing it so here was LE Forge the response element so you know it's very clear what is going on here um and then you know Cloud tra is already logging by default and will collect logs for the uh for the last 90 days via event history if you need more than 90 days you need to create a trail which is very common you'll go into AWS and make one right away trails are outputed to S3 and do not have guy like event history to analyze a trail you have to use Amazon Athena and I'm sure there are other ways to analyze it within AWS but here's just what the event history looks like so right off the bat you can already see that there are information there I'm not sure if they've updated the UI there they might have uh as even when I'm recording this I kind of feel like if we go into the follow along which we will um I bet they might have updated that the idea here is that you know you can browse the last 90 days but anything outside of that you're going to have to do a little bit of work yourself [Music] okay so we're not going to cover all the cloudwatch services there's just too many but let's look at the most important ones and one of that those important ones is cloudwatch alarms so cloudwatch alarms monitors a cloudwatch metric based on a defined threshold uh so here you can see there's kind of a condition being set there so if the network in is greater than 300 for one data points within 5 minutes it's going to breach an alarm so uh that's when it goes outside it's defin threshold and so the state's going to either be something like okay so the metric or expression is within the defined threshold so do nothing alarm the metric or expression is outside of the defined threshold so do something or insufficient data the alarm has just started the metric is not available not enough data is available and so when the state has change you can Define actions that it should take and so that could be doing a notification autoscaling group or any C2 action um so cloudwatch alarms are really useful for a variety of reasons the one that we will come across right away will be setting up a bilding alarm [Music] so let's take a look here at the autonomy of an alarm and so I have this nice graphic here to kind of explain that there and so the first thing is we have our threshold condition uh and so here you can just set a value and say okay the value is a TH or 100 whatever you want it to be and this is going to be for a particular metric the actual data we are measuring so maybe in this case we're measuring Network in so the volume of incoming Network traffic measured in bytes so when using 5minute monitoring divide by 3 00 we get bytes per second if you're trying to figure out that calculation there you have data points so these represent the metrics measurement at a given point then you have the period how often it checks to evaluate the alarm so we could say every five minutes uh you have the evaluation period so the number of previous periods and the data points to alarm so you can say one data point is breached and evaluation period going back four periods so this is what triggers the alarm uh the thing I just want you to know is that you can set a value right and that it's based on a particular metric and there is a bit of logic here in terms of uh the alarm so it's not as simple as just it's breached but there's this period thing happening [Music] okay let's take a look at cloudwatch logs so to understand that we have log streams and log groups so a log stream is uh a stream that represents a sequence of events from an application or instance being monitored so imagine you have an ec2 instance running a web application and you want those logs to be streamed to cloudwatch logs that's what we're talking about about here so you can create log streams manually uh but generally this is automatically done by the service you are using uh unless you were collecting application logs on any2 instance as I just described here is a log group of a Lambda function you can see the log streams are named after the running instance lambda's frequency run on New instances so the stream contains timestamps so what I'm trying to say here is that there's a variety of different Services Lambda RDS what have you and they already send their logs to cloudwatch logs and they're and they're going to vary Okay so here's a log group of an application log running on uc2 you can see here the log streams are named after the running instance ID here is the log group for Adis glue you can see that the log streams are named after the glue jobs um and so you know we have the streams but let's talk about the actual data that's made up of it the log events so this represents a single event in a log file log events can be seen within the log stream and so here's an example of you would open this up in cloudwatch logs and you can actually see what what was being reported back by your server you can filter these events to filter out uh logs based on simple or pattern matching uh syntax so here I'm just typing in saying give me all those debug stuff and you know this isn't very robust but adus does have a better way of analyzing your logs which is log insights which we'll look at here in a moment so we were just looking at uh cloudwatch log events and how those were collected but there's an easier way to analyze them and that's with log insights so you can interactively search and analyze your cloudwatch log data and it has the following advantages more robust filtering than using the simple filter in the in a log stream less burdensome than having to export logs to S3 and analyze them via Athena cloudwatch log Insight supports all types of logs so cloudwatch log insights is commonly used via the console to do ad hoc queries against log groups so that's just kind of an example of Solon writing a query and cloudwatch log insights uses a query syntax so a single request can query up to 20 logs query time out after 50 minutes if not completed and queries result are available for 7 days so abis provides sample queries that you can get started for common tasks and uh and ease the learning into the query syntax a good example is filtering VPC flow logs so you go there you click it and you start to getting some data you can create and save your own queries uh to make future repetitive tasks easier on the certified Cloud preder they're not going to ask you all these details about this stuff but I just conceptually want you to understand that in login sites you can use it to uh robustly filter your logs based on this query syntax language you get this kind of visual and it's really really useful let's take a look here at cloudwatch metrics which represents a Time ordered set of data points it's a variable that is monitored over time so cloudwatch comes with many predefined metrics that are generally named spaced by adus Services uh so the idea is that like if we were to look at the ec2 it has these particular metric so we have CPU utilization disre Ops dis write Ops disre bytes disr bytes Network in Network out Network packet in uh Network packets out and the idea is that you can just like click there into ec2 and then kind of get that data there and so Cloud metrics are leveraged by other things like Cloud watch events Cloud watch alarms cloudwatch dashboards so just understand that [Music] okay all right so what I want to do in this follow along is show you a bit about cloud trail so we're going to go to the top here and type in cloud trail the great thing about cloud trail is it's already turned turned on by default so it's already kind of collecting some information and so here it says now use I access analyzer on cloud trail trails that sounds pretty cool to me but uh we shouldn't have to create a trail right off the bat because we'll have some event history and the event history allows us to see things that are happening within our account in the last 90 days um but the thing is if you want something Beyond 90 days you're going to have to create a trail but if we just take a look here we can kind of see uh as we've been doing a lot of things all the kind of actions that's been happening so here we have an that I terminated so if I go in here and and look at it I can kind of see uh more information about it so we can see when it terminated who had done that what access key they had used the Event Source the request ID um The Source IP what whether it was readon what was the event type that was called the resource there and this is the actual raw record so this is generally how I would look at it or this is how you had to look at it back in the day um but the idea is that you would have that uh user identity described the event time the source the event name the region The Source IP the uh the agent all the information there okay and so this is a great way to kind of find stuff so you can go through here and try to debug things this way so you can go to the event name and so if you if you go here you can kind of get uh see a bit of stuff here so if I was just trying to say like maybe create I'm just trying to find something that I know that I've been doing like create access keys I can see the access keys that going be created within this uh sandbox account here for the user and things like that so it's a great way to kind of find things but generally you're going to always want to turn on uh or create your own trail so if you go here and hit create Trail say my new Trail and um you're going to need an S3 bucket for that you'll probably want encryption turned on which sounds good to me you'll absolutely want log file validation and generally you don't want to store your your cloud trail logs within the existing account you want to have a isolated hardened account that that is uh infrequently accessed or only by your your Cloud security Engineers um away from here because you don't want people tampering with it deleting it or changing stuff but um we'll just take an existing one here I don't want a customer manage don't I have one that is managed by ads here new custom uh we'll choose that one I don't know which one that is we'll just hit next usually adab us gives you a manage key there so I was kind of surprised um you can also include additional data so if you do data events this would collect information from S3 um but the thing is you might not want to track everything because if you track to everything it can get very expensive very quickly uh but if you don't you just leave on management events it'll save you more money there's inside events uh this is new I haven't seen this yet so ident I identify unusual activity errors users behavior that sounds really good but these could come also at additional charges but I'm going to hit next anyway for fun I'm going to create that trail okay and uh the key policy does not Grant sufficient access to etc etc so I'm going to go turn that off even though I should really have a turned on but I just want to be able to show you this okay so we have this new Trail and so this Trail is being dumped to S3 so we might not be able to see anything in here as of yet but I'm just going to pop over here and just see right I probably have one in my other account but it's not um it's not that important and we basically saw what the data would look like so we go into here there's a digest I don't remember there being a digest so that's nice so there's no data yet but when there is it will pop into there um I'm not sure if we're going to be able to do anything with insights here at least not in this account insights are events that are show unusual API activity and things like that so that's kind of cool I don't know what cloudwatch insights looks like uh inside events are shown in the table for 90 days okay so I'm just uh curious if we can see kind of a screenshot of what that looks like whoops well we're at least on the article here so I guess you get kind of get like some kind of graphs or something saying like hey this looks unusual and they might select it so not pretty clear in terms of what that looks like but I mean sounds like a cool feature and I'm sure when I when working on my uh security certification course I'll will definitely include in there but that's pretty much all there is to it um I'm going to go ahead and delete um that Trail because I I just don't really need in this account but generally you always want to go in and create a trail um and what you can do is if you're in your root account I'm not this is actually a an account that's part of an organization but if you're at that organization level you can create a trail that that spands all the regions that spans all the ad accounts with an organization and that's what you should be doing okay but uh that's about [Music] it hey this is Andrew Brown from exam Pro we're looking at ML and AI services on AWS but let's first just Define what is AI ML and deep learning so AI also known as artificial intelligence is when machines that perform jobs that may make human behavior ml or machine learning are machines that get better at a task without explicit programming and deep learning or DL are machines that are have an artificial neural network inspired by the human brain to solve complex problems and a lot of times you'll see this kind of onion where they're showing you that um you know AI uh can be using ml or deep learning and then deep learning is definitely using machine learning but it's using neural networks and so for AWS their Flagship product here is Amazon sagemaker it is a fully managed service to build train deploy machine learning models at scale um and there's a bunch of different kind of Open Source Frameworks you can use with it like apachi mxnet ons which is an open source deep learning framework that is the one that abis decided to say hey we are going to back this one and so you'll see a lot of example code for that one we have tensor flow that you can use pie torch uh hugging face other things as well okay um and so there's a lot of uh Services underneath some that might be of interest to mention right away is like Amazon sagemaker ground truth which is a data labeling service where you have humans that label a data set that will be used to train machine learning models or maybe something like Amazon uh augmented AI so human intervention review Services when sagemaker uses machine learning to make a prediction that is not confident uh and it has the right answer cue up to the predict for a human review and these are all about just labeling data um you know when you're using supervised um supervised learning but there are a lot of Services Under sagemaker itself and just AI services in general so we'll look at that next [Music] okay all right let's take a look at all the ML and AI services and there's a lot on AWS so the first is Amazon code Guru this is a machine learning code anal service and cod Guru performs code reviews and will suggest to improve the code quality of your code it can show visual code profiles to show the internals of your code to pinpoint performance next we have Amazon Lex this is a conversation interface service with Lex you can build Voice and text chat Bots we have Amazon personalized this is a real-time recommendation service it's the same technology used to make product recommendations to customer shopping on the Amazon platform then we have Amazon poly this is a text to speech service upload your text and an audio file spoken by synthe synthesized voice uh and that will be generated you have Amazon recognition this is an image and video recognition Service uh analyze image and videos to detect and label objects peoples and celebrities then we have Amazon transcribe this is a speech to text service so you upload your audio and that'll be converted into text we have Amazon text extract this is an OCR tool so it extracts text from scan documents when you have uh paper forms and you want to digitally extract that data we have Amazon translate this is a neural machine learning translation service so use deep learning mod models to deliver more accurate and natural sounding translations we have Amazon comprehend this is an NLP so natural language processing service find relationships between text to produce insights looks at data such as customer email support tickets social media and makes predictions then we we have Amazon forecast this is a Time series forecasting service and it's you know uh I mean technically I guess it's a bit of a database but the idea here is that it can forecast business outcome such as product demand resource needs or financial uh performance and it's powered by ml or AI if you want to call it we have adabs deep learning Ami so these are Amazon ec2 instances they're pre-installed with popular deep learning Frameworks and interfaces such as tensorflow pytorch apachi mxnet chainer GL uh glue on uh horovod and kirz we have adabs deep learning containers so Docker images instances pre-installed with popular deep learning Frameworks and interfaces such as tensorflow pytorch Apachi mxnet uh we have adus deep composer this is machine learning enabled musical keyboard uh I don't know many people using this but it sounds like fun it was deep lens is a video camera that uses deep learning it's more of like a learning tool so again we don't see many people using this adus deep racer is a toy race card that can be powered with machine learning to perform autonomous driving again this is another learning tool for learning ml they like to do these at reinvent to have like these racing competitions Amazon elastic interface so this allows you to attach lowcost GPU perform uh powered acceleration to ec2 instances to reduce the cost of running deep learning interfaces by 75% we have Amazon fraud detector so this is a fully managed fraud detection uh as a service uh it identifies potentially fraudulent uh online activities such as online payment fraud and the creation of fake accounts Amazon Kendra so this is an Enterprise machine learning search engine service it uses natural language to suggest answers to questions instead of just simple keyword matching so there you [Music] go hey it's Andie Brown from exam Pro and we're going to do a quick review here of the big data and analytic services that are on AWS but before we do let's just Define what big data is so it's a term used to describe massive volumes of structured or unstructured data that is so large it is difficult to move and process using traditional database and software techniques so the first here we have is Amazon Athena this is a serverless interactive query service it can take a bunch of CSV or Json files in an S3 bucket and load them into a temporary SQL table and so you can run SQL queries so it's when you want to quate CSV or Json files if you've ever heard of um apachi Presto it's basically that okay then we have Amazon Cloud search so this is a fully managed full teex search service so when you want to add search to your website we have Amazon elastic search service um commonly abbreviated to es and this is a manage elastic search cluster and elastic search is an open source full Tech search engine it is more robust than Cloud search but requires more server and operational maintenance then we have Amazon elastic map produce commonly known as EMR and this is for data processing and Analysis it can be used for creating reports just like red shift but is more suited when you need to transform unstructured data into structured data on the Fly and it leverages opsource um technology so like spark um Hive Pig things like that then we have Kinesis data Stream So This is a real-time streaming data service it creates producers uh which sends data to a stream it has multiple consumers that can consume data within a stream and use uh it for realtime analytics click streams ingestion data from Fleet of iot devices then we have Kinesis fire hose this is a serverless and a simple version of a data stream and you pay on demand based on how much data is consumed through the stream and you don't worry about the underlying servers then you have Amazon Kinesis data analytics this allows you to run queries against data that is flowing through your real-time stream so you can create reports and Analysis on emerging data and last on the Kinesis side here we have Amazon Kinesis video streams this allows you to analyze or apply processing on real-time streaming videos onto the second page here we have manage kofka service msk um and it might be MKS um now that I'm looking at it here so just be aware that that might be incorrect but a fully manage Apachi kofka service kofka is an open-source platform for building real-time streaming data pipelines and applications it is similar to Kinesis but with more robust functionality then we have red shift which is um a with is flagship uh Big Data tool it's a petabyte size data warehouse the data warehouses are for online uh online analytical processing olap so data warehouses can be expensive because they are keeping data hot meaning that we can run a very complex query in a large amount of data and get that data back very fast but this is great when you need to quickly generate analytics or reports from a large amount of data we have Amazon quick site this is a business intelligence tool or a business intelligence dashboard bi for short you can use it to create business dashboard to power business decisions it requires little to no programming and connect and adjust to many different types of databases if you ever heard of Tableau or powerbi this is just the adus equivalent we have adus data pipelines this automates the movement of data you can reliably move data between compute storage and services we have adus glue this is an ETL service so it allows you to move data from one location to another where you need to perform Transformations before the Final Destination it's simar similar to DMS but it's more robust we have AB Lake formation this is a centralized curated and secured repository that stores all your data so it's a data Lake it uh is a storage repository that holds a vast amount of raw data in its native format until it is needed and then last on here we have adab data exchange this is a catalog of third-party data sets you can download for free uh or subscribe or purchase data sets so they might have like the covid-19 foot traffic data the IMDb TV movie data historical weather data and sometimes this is really great if you're just trying to learn how to to work with these tools [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look here at Amazon quick site which is a business intelligence dashboard or bi dashboard that allows you to ingest data from various databus storage or database services to quickly visualize business data with minimal programming or data formula knowledge so here's an example of a quick site dashboard um and so the way quick site is able to make these dashboards super fast is if you have spice the super fast parallel inmemory calculation engine um and the thing is you don't have to use spice um but generally it is good to use it uh and there are some caveats when getting your data into Quick site sometimes it can't ingest data directly from a particular uh data store so you might have to dump it to S3 first but it's not too bad because you can use AIS glue to transform that data over um there are additional features sometimes Market is services but we have quick site ml insights this detects anomalies perform accurate uh forecasting it can generate natural language narrative so basically like you know describe it as if you're going to read it out as a business report you know then there's Amazon quick site Q this allows you to ask questions using natural language on all your data and receive answers in seconds so there you [Music] go hey this is Andrew Brown from exam Pro and let's go take a look at Amazon quick sites which is a or quick site which is um a business intelligence tool so when you go here you have to uh sign up because it's kind of part of ads but on its own separate thing and then you have to choose what you want so we have Enterprise and standard um I do not want to pay that much so I'm going to go to standard over here I'm not really sure what the difference is it's not really telling me what um between standard and Enterprise but I'm going to assume standard is more cost effective but here we it says user use I am Federated identities which is fine use I am Federate enties only um we can stick with the top one there that seems fine to me we need to enter a name so just say my quick site account and we probably have to fill something in there so let's say Andrew exam pro. and these are the services that are going to integrate with Athena S3 RDS things like that I guess we could select some of those buckets I'm not too worried about doing that right now the provided account name is not available that is a terrible UI but that's AWS for you I'm just going to dump some numbers there going put my email in here again um we probably want some S3 buckets I'm going to make a new bucket because I think that's how we're going to do this we're going to have to make a bucket here and say uh quick site data okay and we're going to create ourselves a bucket here I'm going to go back and hopefully that shows up uh it does not so what I'll have to do is just back out and I'm just going to give it a hard refresh here and we're hit quick sign up for quicksite again and we'll choose standard and we'll say my quick site account a bunch of numbers there Andrew exam pro. I don't really care about adjusting data from everywhere else I just want it from S3 there's my data uh sure we'll give it right permissions even though I don't plan to do anything with Athena here today he and we'll give it a moment to load so what I'm thinking is so what I'm thinking is just making like an Excel spreadsheet here and just filling in some data so oh says our account is set up here so we'll go to Quick site because I bet it can import like a CSV or something um I'm more of a tableau or powerbi kind of person um but uh you know for the purpose of the cloud practitioner I am going to show you this Amazon quick set lets you easily visualize data and Etc that sounds great next next next I know what I'm doing oh do we have some examples great so I don't even have to make a spreadsheet okay so what we'll do is just click on that and we have stuff it looks like they've really improved this since the last time I've seen it which is quite nice um but I could try and make my own I'm just trying to think how do we do this again yeah we have the spice there so it's a lot easier from starting from scratch I'm just going to say close and user analysis we want data sets in here oh we already have some data sets these are coming from S3 I think that's the old S3 logo I'm not sure why they're using that one we can go here and create a new data set oh we can upload directly so I don't even have to use use S3 that's great so what I'm going to do is just have some values in here so I'm going to just say um uh type value so we'll say banana 125 123 we'll say apple 11 orange nobody likes oranges I shouldn't say I'm sure it's like lots of people like oranges oh we got to put pairs on there I actually really like pairs people think I like bananas which is not true I actually like pears that's what I like so I'm going to go ahead and save this save as and I'm just going to save this to my desktop here so just give me a moment just doing this offc screen and I'm just save this uh data set quick site CSV it can even take an XLS so I don't have to save it as a uh I'll just save it as a an XLS okay and so we're going to just upload that so there is that data set it's going to scan that file it's going to see that sheet you even preview it there's the information we're going to add that data uh I get add it as a data data set well how do I where where do I it's like it says add the data I just want to add it as a data set so they said up here save and visualize up here and is it autographing yet maybe if I drag in is it working is it thinking okay it's at 100% so I'm going to just drag that onto there and it says pear orange banana just kind of trying to make sense of this here is it taking and count the value maybe put the value down there wow that's so much easier I hav't used this for like a year and and um I'm going to tell you this has gotten a lot easier to use so I'm quite impressed with this but yeah I mean this is pretty much what quick site is if you want to visualize things in different types you can drag them out you can probably like click on the the wheel here and change it again I'm not sure exactly how all the uh the dials and knobs work here but I mean another thing we could do is just drag out like another object and do the same thing so maybe I'd want a pie chart um so uh a visual yeah it's not as nice as powerbi but like it's still great that it's here you know type value so we got a nice pie chart there uh let's try something weird let's give this one a go doesn't color it which is not very nice um there's probably some kind of way to color it but focus on banana only I don't know I don't know what the point of there but anyway that's quick sight so um I really don't want to pay for this this so what I'm going to do is go up here um there's you have to deactivate I'm just trying to remember how because they change the interface again they change everything on you so maybe we go I'm on a trial for four days here maybe quantity for just the four 29 day trial so if I want to get out of this trial what do I do I don't want to use it anymore um so how to delete AWS quick site canceling your subscription so before you can unsubscribe uh you're signed in the IM account you're quick site administrator you're the root IM administrator sure uh you deleted any secondary name spaces to find the existing name space Etc so choose your username in the application bars manage quick site account settings unsubscribe so I was almost there I thought I was in the right place uh this one no I was just there manage quick site your subscriptions edit there's no unsubscribe option so I'm not sure can I cancel unsubscribe button does not appear in quick site and it could just be because we're on trial and so maybe after the end of the trial it will uh it will vanish there they are not making this easy for me account settings ah delete accounts so this is what we're probably want to do permanently delete the account yes I mean that has to get rid of the subcription because it gets rid of everything there we go we'll say confirm delete account unless you're using them in the services blah blah blah blah blah um successful okay great so now I should go back to ads. amazon.com and just to confirm that it's gone I'm going to go to quicksite again and just see if it's trying to ask me to sign again so it is so I've gotten R of my account so we're all in good shape and uh yeah that is that is quick site all right let's take a look at some more machine learning AI Services because eight of us won't stop making these things um and basically last time I made uh the videos all this generative stuff did not exist so we need to cover it the first is Amazon Bedrock so the uh this uses large language models and makes it a cloud service is offering to generate text and images responses if you know what chat GPT is you know what Bedrock is we have Amazon code Whisperer it's an AI code generator that will predict code to meet your use case uh so if youve heard ever heard of GitHub co-pilot it's the same thing basically uh it's going to write code for you or along with you I should say uh we have Amazon devops Guru this uses ml or machine learning to analyze your operational data and application metrics and the vents to detect operational abnormalities um imagine if you had kind of like a junior devops person digging into your metrics to figure out if there's something wrong then we have Amazon Lookout this is actually three different um offerings we have Amazon lookout for equipment Amazon uh lookout for metrics and Amazon lookout for vision they all seem to have to do something with quality control and Performing automated inspection so vision of course would use Vision to detect anomalies uh one would be for equipment to detect if there's anything wrong with operational equipment uh and then metrics would be you know with metric data so something probably more for um the hard Industries uh to utilized and you have Amazon monotron so this uses machine learning models to predict unplanned equipment downtime and so the way they do that is they have these uh iot sensors that's going to capture vibrations and sensor data from your Hardware then we also have adus neuron this is an ad SDK used to run deep learning workloads on adus uh infer I can't say that word but I know what it is it's basically um it's a machine learning acceleration on gpus that you can attach and adus train trainum so yeah I wish the words weren't so hard there's actually more um stuff that Aus has for machine learning I didn't include them because they were just too far out there and they're definitely not going to show up in your exam you'll definitely never see them but we now have better coverage what I really wanted to show was Bedrock H Whisperer because I feel like those two uh will show up on future exam so I'm just trying to get those in front of you now even if they're not on the exam uh at the time of this recording okay [Music] ciao all right so you probably already know what generative AI is but just in case you don't I want to just quickly cover it and show a very tiny example uh so generative AI which also can be shorten to gen AI though most people don't say that uh is a type of artificial intelligence capable capable of generating new content such as text images music or other forms of media so an example would be something like a software that I like to use called mid Journey uh where you can put in a prompt and so it will then go ahead and generate out an image um so all the cloud service providers have some kind of offering with both image and text um but yeah hopefully that makes sense the idea is that you can plug stuff in and you get stuff out okay [Music] Let's us take a look here at machine learning and deep learning Frameworks and so these are Frameworks that can be used with sagemaker or have direct support for them I just want to get you some uh exposure and to uh get you some context in terms of these because machine learning and Ai and all this stuff is becoming more popular so you should at least have heard of these things so I have all the logos on the left hand side and we'll go through them the first is Apachi mxnet so this is a machine learning framework adopted by AWS basically um every single cloud service provider backs their own kind of open- source framework and they try to make that the one that they suggest you to use but in practice uh there's ones that are good and there's ones that people just don't want to use and apach mxnet is not fun to use whatsoever um and so you'll see it all over in the marketing and pushed everywhere but really people want to use things like curus tensorflow but anyway I just wanted to point that out that it was has a bias because they've invested energy into uh their team of machine learning Frameworks you got pytorch uh optimized for tensor Library uh for deep learning using GPU and CPU it's created by Facebook Facebook does not necessarily um have its own cloud service provider offering so it's kind of out there and so you'll see good support for pytorch and all the major providers U the next is tensorflow this is made by Google what's in with tensor flow is Google made uh their own um GPU or TPU they call it a tensor Processing Unit so tensor is a a unit of thing in tensor flow and it they have optimized hardware for it I personally find tensorflow the easy to use or I should say cires so um cures is a highlevel machine learning framework built on top of tensorflow because these lower level ones were just really hard to use and so basically pytorch came along and it was much easier to use and then then everyone noticed how easier pytorch was and so that's where curus came from was to be competitive with pytorch and be easier to use then you have Apachi spark which is a unified analytics engine for large scale data processing but they do have ml offerings within it called spark ml um so there's definitely things you can do there uh there's a piece of software called chainer um and it's for it's a deep learning framework that supports Cuda then there's hugging face which is not exactly a framework or tool it's just a way of accessing a lot of models online and data sets and quickly launching them for whatever reason I uh adus has uh strong synergies with hugging face I've seen like developer Advocates and other uh folks that worked at AOS go over to hugging face and so there seems to be strong uh relationships between hugging face and adabs for whatever reason there's a lot of ml Frameworks out there but because uh ml is uh just uh progressively um are rapidly innovating you'll see Frameworks come and go and so I remember when I researched this and I was just trying to understand all the Frameworks out there there's just a lot and I just kept digging into them finding oh they're not active anymore they're not active anymore so I just want to point out that we have all these ones up on screen if they become unactive tomorrow I would not be surprised but uh for the most part all of these seem to be very popular uh and uh they're being well supported uh but yeah hopefully that gives you an idea of these Frameworks okay ciao [Music] all right let's take a look here at Apachi mxnet a little bit more in detail because this is the framework that iTab us wants you to use whether you want to use it or not is a different story uh but you'll see it all over in their marketing pages and things like that so apoi mxnet is a deep learning machine learning framework which supports many many different programming languages so that is one advantage of it uh the key features uh is that it's scalable it's flexible it's portable it's it supports multiple programming language iTab has made Apachi mxnet their framework of choice so there's lots of support for it within ad sagemaker and the ad ml containers but I have noticed that they've been increasing support for p torch so maybe you know they're just trying to meet the customer where they are but anyway um there is a lot of stuff for mxnet mxnet has two highlevel interfaces uh one's called glue on and there is module API so uh depending on which one you use one is imperative programming one's symbolic programming uh this is more of a deeper concept for machine learning but I'm going to tell you one is really easy one is really hard um but uh let's look at a very simple example of uh some code for using the gluon API so it kind of looks like that you can see that they are using python so hopefully that gives you an idea of uh mxnet and its offering the key thing is that it offers it in a lot of different programming languages will this appear on your exam absolutely not but should you know it you absolutely should um just so you have good context with adabs and ml so there you [Music] go I want to talk a little bit about Intel because I think it's very important to remember the hardware that is running with these um cloud service providers because it really does matter um and there's a couple terms you might see when using a compute that you're not aware of and I want to make sure you know what they are so let's talk about what is Intel so Intel is a multinational corporation is one of the world's largest semiconductor chip manufacturers Intel is the inventor of the x86 instruction set so basically uh they released this chip back in 1978 this one's called the Intel 88086 chip and the idea is that um they came up with an instruction set um it's basically a bunch of words that you can use um to program the chip and it's a lower level language so um that lower level language would be an assembly um if if that makes any sense so the idea is that you have this um instruction set and you have to write an assembly and so basically most modern programs like when you use uh programming languages like uh C it will actually compile down to assembly um or other languages will compile down to assembly because that is what the chip understands and then assembly is turned into machine code like the zeros and ones and the reason I'm mentioning this is that when you go and you uh launch uh a compute uh instance let's say on ads uh you're launching a E2 instance you have to choose uh whether it's x86 or a different instruction set or architecture and so the other one is arm and they're both really really good it just depends on whether uh uh your stuff can support it but for the most part Intel has arm chips as well so um there is no company that produces armed chips per se it's just an architecture and uh the way it works is that it just has fewer instruction sets so there's fewer uh rules that you can write in so it's a more limited writing it in assembly but at the end of the day it doesn't matter because your programming language is going to compile it down so you don't have to worry about those fewer instructions but because it has fewer instructions it generally results in a better uh Power efficiency and so it can have better performance or better or better cost to you the customer so when I can I try to run arm and for the most part it's always great to run arm but uh it really depends on if your software is going to be able to run on arm um and stuff like that so I just wanted to point out those two things there about uh at least Intel and then instruction sets [Music] okay all right I want to talk about two things um that Intel has with ads and the first is Intel xon scalable processor and the second is Intel Gotti um so it of course does work with or purchases um Hardware from other um uh other companies like they use AMD and Nvidia but I think it's worth mentioning Intel in a little bit more detail here here because every time I go to reinvent Intel has a big giant booth and you can go scour the ads website and it just looks like ADS works more closely with Intel as opposed to the other uh providers not to say that Intel is not being utilized on gcp and Azure and others but uh I just noticed something more going on there with AWS but let's first talk about Intel xon scalable processors these are high performance CPUs designed for Enterprise and server applications commonly used in ESS instances um that scalable part makes them very good for machine learning so you often are going to be be using Intel xon processors whether you know or not on ads the Intel is the Intel uh Habana Gotti processor so this is a uh processor specialized for AI training uh you could say that this is a direct competitor to Nvidia or a similar competitor because uh they uh they uh do something very similar um I believe that Intel Gotti has their own SDK called synapse AI uh that you can use to interact with it so you launch up Sage maker and then use uh that uh that API or SDK in order to uh best utilize uh that Hardware there but both of these um pieces of Hardware are offered uh on a and I think it's just good to know them at least to name uh what they are [Music] okay hey this is angrew brown and let's talk about gpus I'm sure most people know what gpus are here but I'm going to talk about it anyway because I want to talk about cudas so a GPU stands for General processing unit and it's a processor that is specialized to quickly render high resolution images and videos concurrently if you've ever played video games you know you need a good GPU because it's all about those images however gpus can perform parallel operations on multiple sets of data so they can also be used for non-graphical tasks and this makes it really good for machine learning and scientific computation so if you're trying to uh convince your significant other that you need a better graphics card you can just tell them it's for work I need it for machine learning and scientific comp computation it's not your fault that you can also play video games with it and so we have like a graphic there on the right hand side I think I got that from Nvidia and so they're kind of trying to demonstrate the difference between uh the paralyzation with GPU versus serial tasks with CPU but let's go and just read a littleit more so CPUs can have an average of four to 16 processor cores gpus can have thousands of processor cores how that works I have no idea but I just know that that's how it works uh so we have 48 gpus can provide as many as 40,000 cores so that is a lot gpus are best suited for repetitive and highly parallel Computing tasks such as rendering Graphics cryptocurrency mining if people are even still doing that and deep learning and machine learning so you know there you go that's [Music] gpus all right let's take a look here at Cuda but before we do let's talk about Nvidia so Nvidia is a company that manufactures graphical processing units for gaming and professional markets if you have ever played video games and you build your own rig um a lot of people like to choose Nvidia but Nvidia can do things other than video games and this is due to their framework uh called Cuda which stands for compute unified device architecture so it's a parallel Computing platform and API I said framework but I guess it's an API by a video that allows developers to use Cuda enable gpus for general purpose Computing gpus and it says GP GPU because it's saying general purpose gpus I know that's a mouthful there um so over on AWS they have a bunch of instances that um can utilize uh Nvidia GPU so I adus is always changing the instances so these could be old but you can see we have a P3 which has the Tesla Tesla V100 you have the G3 with a Tesla M M60 the G4 with the T4 uh the P4 with the Tesla a 100 so there's probably these are probably old ones there's new instances with newer Nvidia cards but my point is is that adus has uh gpus that you can utilize another thing I want to point out with Cuda is that all major deep learning Frameworks are integrated with Nvidia deep learning sdks there's a big fight or War over um uh these companies that make uh gpus and CPUs because they really want the uh Theirs to be used for machine learning so you can definitely be sure that AMD probably has some kind of similar offering or something uh and definitely Intel as well um but Nvidia has done a very good job in uh making sure that theirs is the most popular um so EnV deep learning SDK is a collection of uh Nvidia libraries for deep learning so this is something that this is the SDK you can use with Cuda to interact with their API uh so one of those libraries are called cuda deep neural network library so that's something you can use with it and it's uh tuned for a bunch of stuff if it looks like it's getting a little bit too um uh technical it's because this slide was was for my machine learning uh inabus specialty and I didn't do a whole lot to change it and Brad it over uh so you don't don't really need to know that last part there but just understand what Cuda is and that it's uh very important uh for working with machine learning and AD us has uh good offerings uh for instances with it [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the ads well architectur framework so this is a white paper created by AWS to help customers build using best practices defined by AWS you can find this at AWS amazon.com architecture forwell architected this idea is not unique to AWS the other providers have it but I believe AWS was the first one to Define this and they have a really good uh a good approach to this and this is pretty much Essential Knowledge that you have to have uh four certifications when we're looking at the cloud practitioner the soci architect associate and professional because um there's a lot of principles here best practices that adus uses themselves to architect their infrastructure okay so the framew is divided into five sections called pillars which address different aspects or lenses that can be applied to a cloud workload so imagine you have your Cloud workload you're going to want to adopt an aable architect framework some things that you know people don't consider outside the Five Pillars is that you need to know General definitions uh General design principles and the review process um and then from there you have your five pillars so you have operational excellence security reliability performance efficiency and cost optimization and all of these have major SE sections in this uh white paper but outside of just the main white paper each of these have their own white papers that go even into farther detail so if you really want to uh really focus on security and get a lot more information they have that as well [Music] okay let's take a look at the general definitions for the well architecture framework starting with the pillars so the operational excellent pillar is there to run and monitor systems the security pillar is to protect data and systems to mitigate risk the reliability pillar is to mitigate and recover from uh disruptions the performance efficiency pillar is about using Computing resources efficiently or effectively and the cost optimization pillar is about getting the lowest price and this is where you're going to find all the business value and I put an aster there because uh you know you might obsess saying we need to meet the requirements for all these pillars and that's not the case you can trade off pillars based on the business context so you know don't take it as uh literally Implement every single thing but just consider that uh you know you might have to adapt it based on your workloads then we have some general definitions that we will come across so there's components so code configuration itless resources against the requirement a workload so a set of components that work together to deliver business value mileston so key changes of your architecture through the product life cycle then there's architecture itself so how components work together in a workload and then we have technology portfolio so a collection of workloads required for the business to operate [Music] okay so the well architected framework is designed around a different kind of team structure so when you're looking at Enterprises they generally have a centralized team with specific roles where ADS structures their teams as being distributed with flexible roles and so this new kind of methodology of distributed teams uh has some major advantages but it does come with some risks and so adus has baked in some uh practices or uh things that they do to mitigate these issues okay so let's compare on premise Enterprise uh to what databus is proposing for your team structure so on premise what we'd see is a centralized team consisting of technical Architects solution Architects data Architects Network Architects security Architects and you kind of see that they all have a specialized vertical and they are usually managed by either to GF or Zack man framework so those are just ways of structuring your teams those are very popular and so what aabus is proposing here is that you have a distribute team and uh the way you're going to make that team work because obviously just thinking about distribute team they're going to be a lot more agile but to make sure that they effectively work you have practices like team experts who raise the bar uh making sure that you know uh in any areas we can always say how can we do this better uh then there are mechanisms in place for automated checks for standards so that's the great thing about Cloud can all be automated to say hey does it meet our Regulatory Compliance or or or what have you and then there's the concept of the Amazon leadership principles which we will cover on in the next slide in detail and so um you know itus is not obviously using uh these other Frameworks because it has its own which is this one here but the the mechanism to which they stay organized and up to date is they are supported by a virtual community of subject matter experts principal Engineers so that what they'll do is they'll engineer things like lunchtime talks and then recycle that into their onboarding material or into this framework itself okay [Music] so we're taking a look here at Amazon's leadership principles and these are a set of principles used during the company's decision- making problem solving simple brainstorming and hiring all right um and so I can't say that I like all of these but definitely some of them really stand out as being great especially the first one which is customer Obsession so instead of worrying about what your competitors are doing think about what the customer wants work your way back and uh you know really focus on the customer needs needs then there's ownership so if you're going to go do something uh you know try to be your own mini boss uh and take responsibility for whatever it is you're building event and simplify so you know always look for the simplest solution don't try to engineer something super complicated if it's not necessary uh or right a lot so you know try to be right uh learn and be curious so that's pretty self-explanatory hire and develop the best insist on the high standards adus always refers to this as raising the bar think big buys for Action fr it andus is really Frugal if you didn't know that but not just for like themselves but also for their customers they want customers to uh spend the least amount of money possible when using their infrastructure earn trust uh dive deep have a backbone disagree and commit deliver results strive to be the earth's best employer success and scale bring broad responsibility and if you want to read these in detail because they have a big block of text for each of these uh you can go to amazon. jobs uhen principles and read all about it [Music] okay all right let's talk about some general design principles uh that you should be considering when you are designing your infrastructure no matter what pillar that you are looking to adopt the first is stop guessing your capacity needs so the great thing with cloud computing is you use as little or much based on demand whereas on premise you would have to purchase a machine and you'd have to make sure you have additional capacity so that you could grow into it right and so here with uh cloud you do not have to worry about that uh test systems at production scale so be able to clone your production environment to testing tear down testing while not in use to save money so a lot of people will have a staging server that they run all the time but the great thing here is that with Cloud you know it's you can just spin it up and have it right away and then tear it down and save money um there's automating to make architectural experimentation easier this is talking about using infrastructure as a code so for ads this to be using cloud formation creating change sets which kind of um uh say exactly what is going to change stack updates drift detection to see if your stuff is uh being changed over time by developers through manual configuration things like that then we have allow for evolutionary architectures so this is about adapting cicd um doing nightly releases or if you're using serverless if you adopted lambdas they deprecate over time forcing you to use the latest version uh and so that is evolutionary architectures then we have drive architectures using data so um when you're using Cloud there's a lot of Tooling in there to automatically start collecting data so Cloud watch will be collecting some things by default and cloud trail will as well so you know that is another thing and then improving things through game days so this is about stimulating traffic on production or purposely killing ec2 instances or or messing with your services to see how well they recover all [Music] right before we jump into each of the pillars let's go open them up and take a look at what structure we should expect to see so we have design principles definition best practices and resources all the pillars follow this to a t so let's just talk about what these are so the design principles are a list of design principles that needs to be considered during implementation and that's where we're going to focus a lot of our energy then you have definition so this is an overview of the best practice categories then you have the best practices themselves these are detailed information about each practice with uh various a services and then you have resources these are additional documentation white papers uh and videos to implement this pillar and I just want to tell you that if you're doing the certified Cloud practitioner we're really just going to cover the design principles but for the solutions architect associate or anything uh that's associate or above that's where we're going to actually dive deep into the implementation of the best practices because there is a lot of stuff there so uh yeah there we [Music] go let's take a look here at the design principles for operational excellence so the first here is perform operations as code so apply the same engineering discipline you would to application code to your infrastructure so by training your operations as code you can limit human error and enable consistent responses to events generally we're talking about infrastru infrastructure as a code here so this would probably be like things like cloud formation there's other things you could do like policy as a code and a bunch of other ones then we have make frequent small reversible changes so design your workloads to allow components to be updated regularly uh this could be talking about doing roll backs incremental changes Blu green deployments having a cicd pipeline refined operations procedures frequently so look for continuous opportunities to improve your operations uh here you use game days to simulate traffic or event failure on your production workloads anticipate failures to perform post modems on system failures to better improve write test code kill production servers um there's a small spelling mistake it should have an R here so servers to test recovery learn from all operational failure so share Lessons Learned in a knowledge base for operational events and failures across your entire organization but you know if you can just remember these headings here uh and be able to categorize what would be under operational excellence you'll be okay all [Music] right all right let's take a look at the design principles for the security pillar so the first here is Implement a strong identity foundation so implement the principle of lease privilege or PP that's a very popular concept meaning give people only the permissions that they need use centralized identity so that would be using adus am avoid longl credentials then we have enable traceability so monitor alerts and audit actions and changes to your environment in real time integrate log and Metric collection and automate investigations and Remediation then we have apply security at all layers so take defense in depth approach with multiple security controls for everything from Edge networks vbcs load balancing instances OS application code we might have a slide in this course on defense into depth where basically you see like a ring of things and you can kind of see how like there's layers that go from outward to Inward and that's what they're talking about when they're listing out all these things here automate security best practices uh protect your data in transit at rest uh keep people away from your data the reason I don't have descriptions there is because those are pretty self-evident prepare for security events so Incident Management systems and investigation policies and processes tools to detect investigate and recovery from incidences and uh there are a lot of security tools out there and they all have funny initialisms I didn't put any of them in here but I'm sure there are some there um but yeah there you go for [Music] security all right let's take a look at design principles for reliability and the first here is automatically recover from failure so Monitor kpis and Trigger automations when the threshold is breach test recovery procedures so test how your workload fails and you validate your recovery procedures you can use automation to simulate different failures or to recreate scenarios that led to failures before scale horizontally to increase aggregate system availability so replace one large resource with multiple small resources to reduce the impact of a single failure on the over overall workload distribute requests across multiple smaller resources to ensure that they don't share a common point of failure so we're talking about multi-az uh High availability okay stop guessing capacity we've seen this multiple times so in on premise it takes a lot of guess work to determine the elasticity of your workloads uh workload demands with Cloud you don't need to guess how much you need because you can request the right size of resources on demand that's going to give you better reliability okay manage change and automation so making changes via infrastructure as a code will allow for a formal process to track and review infrastructure you're going to see IC show up a lot in this framework [Music] okay let's take a look at design principles for performance efficiency so the first here is democratize advanced techn technology so focus on product development rather than procurement provisioning and management of services because if you're on Prem you'd have to order those machines set them up and so take advantage of advanced technology specialized and optimized for your use case with on demand cloud services because again if you're using on Prem uh you you know you might not have the option to have Sage maker right it's just going to be a VM and you're going to have to do all the work yourselves whereas ads has all these specialized things so you can move quickly uh Go Global in minutes so deploying your workload in multiple abis regions around the world allows you to provide lower latency and a better experience for your customers at a minimal cost we have used seress architecture so servess architecture removes the need for you to run and maintain physical servers for traditional Computing activities removes the operational burden of managing physical servers and can lower transaction costs because manage services operate at Cloud scale and it us can be a lot better at um running them efficiently than you will uh experiment more often so with virtual and automatable uh resources you can quickly carry out comparative testing using different types of instan and Storage or configurations to make the best choice we call this right sizing choosing the right size consider mechanical sympathy so understand how cloud services are consumed and always use technology approach that aligns best with your workload goals for example consider data access patterns when you select database or storage [Music] approaches let's take a look here at design principles for cost optimization so the first one here is Implement Cloud financial management so dedicate time and resources to build capacity uh via Cloud financial management and cost optimization tooling stus is saying hey take advantage of all our tooling they makes it easy for you to know exactly what you're spending adopt a consumption model so pay only for computing resources that you require uh an increase or decrease using uh depending on the business requirements we're talking about on demand pricing measure overall efficiency so measure the business output of the workload and the cost associ associated with delivering use this measure to know the gains you make from increasing inreasing output and reducing costs so stop spending money on undifferentiated that's a hard word to say undifferentiated heavy lifting so adus does the heavy lifting of the data center operations like racking stacking and power servers it also removes the operational burden of managing operating systems and applications with managed services this allows you to focus on your customers and business projects rather than your it infrastructure and the last one here is analyze and attribute expenditure so the cloud makes it e easier to uh accurately identify the usage and cost of systems which then allow transparent uh attribution of it cost to individualize workload owners this helps measure return on investment and gives workload owners an opportunity to optimize the resources and reduce costs so there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at the adus well architected tool so this is an auditing tool to be used to assess your Cloud workloads for alignment with the a well architected framework and so what it is it's essentially a checklist uh but it also has nearby references so you know as you're reading through it it will show you information uh and resources so that it can help you with this checklist here and the idea is when you're done you can generate out a report and then you can provide that report to your Executives and key stakeholders to prove uh you know how well architected your workload is on AWS [Music] okay hey this is angre Brown from exam Pro and in this video I want to show you two things the well architected framework and the well architected tool so first let's go look for the well architected framework so we're going to look up white papers uh AWS and so if we go here to AWS amazon.com white papers we have a bunch of pages here and so I'm going to just checkbox on white papers so that we can kind of reduce the amount there and then I'm going to checkbox well architected framework if we scroll all the way top here one of these you think it'd be right at the top but one of these is the well architected framework and here it is and so if we open it up used to just directly open up as a PDF I'm sure you can still download it as is but generally you're going to open up as this HTML page and you can basically read through it see all the stuff see the multiple pillars we can click into here see the design principles read the definitions and then start reading about uh the best practices and they have these things at the bottom of each one uh very boring very very boring but but um you know when you get to the solutions architect and things like that you're going to need to know this stuff inside and out it's going to really help you out this Cloud practitioner we only need to know surface level information um but that's the little architect framework let's take a look at the well architected tool so we going type in well here we'll get the well architected tool and if we go here you can see that I've created a couple before probably demos for um our videos and so I'm going to go Define a new workload I'm going to say my my workload Lo here uh my workload whoops my workload it is messing up because I probably have grammarly installed so it does not like grammarly so I'm just going to turn it off for now so my workload and it's still not typing correctly so I have to kill out kill out grammarly here which is kind of frustrating so that's a bug that that's not grammarly's fault that's adab Us's fault for not playing well with grammar and that's something I will definitely report to them because it's very annoying so I'm going to go ahead and refresh this page my workload my workload um and this is Andrew Brown production or pre-production doesn't matter pick your regions Us East or Us East 2 sure I'm selecting it there we go uh optional optional optional optional you go to next and then you can choose your lens serus lens FTR lens so that's the foundational technical review SAS lens we can go with architected framework and then once that is there we can start reviewing okay and then we get this big checklist and so we can go through this and read each one so we say Ops one how do you determine what your priori are and all these things like Ops and stuff like that these are all the summaries in each of the well architected framework sections so you pretty much don't need to really read the dock you just go through this so everyone needs to understand their part in enabling business success have shared goals in order to set priorities of resources this will maximize the benefit of your efforts so select from the following evaluate the customers's external needs external customer needs evaluate internal customer needs if you click info it's going to highlight each one here so evolve key stakeholders including Business Development operations teams this will ensure Etc and so you just go through this and uh you know you know once you have that and you save an exit Okay uh you'll have uh the questions that are answered it'll say what's high risk what's not things like that very simplistic it's really just a way of making a very organized report or checklist and proving that you went through it uh to the executive level or to the management level there so hopefully that makes sense to you um it's not too complicated but there you [Music] go hey it's Angie Brown from exam Pro and we are looking at the ads architecture Center so the architecture Center is a web portal that contains best practices and reference architectures for a variety of different workloads and you can find this at adab. amazon.com architecture so if you're looking for best practices in terms of security they have a huge section on that and they have it for pretty much every kind of category on AWS or if you're looking for uh practical examples you can view the large library of reference architectures so here's one to make an ads Q&A bot and it will have an architectural diagram but you can also uh deploy via cloud formation or possibly cdk um and this way you can get a working example and then tweak it for your use case so this is a really great tool um when you are done the adus well architect framework and you're saying okay how do we apply it can we get more concrete examples and I wouldn't be surprised if a lot of the resources within the well architectur framework white paper are just pointing to the center okay [Music] hey this is Andrew Brown from exam Pro and we are taking a look at the concept of total cost of ownership also known as TCO so what is TCO well it is a financial estimate intended to help buyers and owners determine the direct and indirect cost of a product or service so here is an example of you know TCO for maybe like a data center so we have Hardware monitoring installation IT personnel training software uh security licensing and taxes but that's not just the limit of it it's just kind of the examples we show here uh the idea of creating TCO is useful when your company's looking to migrate from on Prem to cloud and we will have a better uh kind of visual here to kind of understand how you would contrast against on Prem to Cloud but let's just talk about how it actually works in practicality which I think gets kind of overlooked when cloud service providers are selling you on TCO so the idea is a gardener um you know they uh they were they wrote this article based on This research where an organization had moved 2,500 virtual machines over to Amazon dc2 and so what you're seeing here is that there is a an additional cost that we're not considering which is the migration cost See This Bar up here um so the idea is that the company was paying around 400,000 and so they started to move over and as you see uh their costs initially went up for a short period of time here uh but then once that migration cost was over uh you can notice that they had a 55% reduction so it's uh totally possible to save money uh and clearly there is great savings uh now is it exactly what AWS promises probably not and that's that could be the reason why they update their TCO calculator but let's now just do that contrast against the two so we have on premise on the left and adus on the right or any class service provider and what I want to do is help you think about what cost do people generally think about because if we have like Iceberg the idea here is that these are the costs that we always think about above the iceberg and then there's these hidden costs that we just don't consider when factoring are move and that's the idea of T TCO is to consider all the costs not just the superficial ones and so people say these look like teeth and that's why I add penguins and a whale here um and so when we're talking about on premise what we generally think are software license fees and subscription fees but when you compare those against each other they might look the same um ad us might just look slightly cheaper or even more and so the idea is you need to then factor in everything so on on premise there's implementation configuration training physical security Hardware IT personnel maintenance and on the adus side you know you are you don't have to do as much of that stuff so you just have implementation configuration and training and so adus with their TCO calculator their old one used to make a promise of 75% in savings um again you know this is going to really vary based on what your migration strategy looks like um but you know it's totally possible you could save 75% or you could save 50% over a third year a three-year period And there's a an initial Spike so that's just something you have to consider but the nice thing though is that once you've moved over all the stuff over here on the left hand side will be ais's responsibility [Music] okay all right so let's take a look at Capital versus operational expenditure so there's capex and Opex so on the capex side the idea here is you're spending money upfront on physical infrastructure deducting that expenses from your tax bill over time uh a lot of companies that are running their own data centers uh or have a lot of on- premise stuff understand what capex is because um it's something that a lot of times they get tax breakes on and that's why we see a lot of people that have a hard time moving away from the cloud because you know they keep on thinking about that money they save from the government but capex costs would be things like server costs storage Network costs backups and archives Disaster Recovery costs data center costs technical Personnel so the idea is with capital exp expenses you have to guess upfront what you plan to spend okay with operational expenditure the idea here is the cost associated with an on- premise data center that has shifted the cost to the service provider the customer only has to be concerned with non-physical costs so leasing software and customizing features uh training employees and cloud services paying for cloud support uh billing based on cloud metrics so compute usage storage usage and so the idea here is with operational expenses you can try a product or service without investing in equipment so basically kex is what we think about when we think of on premise and then Opex is what we think think about um you know when we're thinking about cloud or AWS [Music] okay all right let's ask a very important question about Cloud migration so does cloud make it Personnel redundant so a company is considering migrating their workloads from on- premise to the cloud to take advantage of the savings there is a concern among the staff that there will be Mass layoffs does cloud make it Personnel redundant and that's a very important question to to have an answer to and this all talks about shifting your it team into different responsibilities so a company needs it Personnel during the migration phase as we saw with that Gardener research report that there was a period at least like a year where they needed that for you know depending on the size of your company so you're still going to need those people around a company can transition some roles to new Cloud roles so a very traditional example would be you have your traditional networking roles where people have like their CCNA and now they're moving over to Cloud networking uh they have a reduced workload but there's other things uh that they could be doing in the cloud um a company may decide to take a hybrid approach so they'll always need to have a traditional it team and a cloud uh it team um and the last one and this one You' actually see on the exam which is a company can change employees activities from managing infrastructure to re Revenue generating activities okay so the idea is that you know if you're a company why would you get rid of all your staff when you can just put them all into Revenue generation I suppose you know you could uh you know uh lay them off and some companies might do that um or you know you could just retrain them because uh if that IT personnel team has uh technical expertise I'm sure they can translate that to the [Music] cloud let's talk about the adus pricing calculator and this is a free cost estimate tool that can be used within your web browser without the need of an adus account to estimate the cost of a various IT services and this is um available at calculator. AWS and the reason we're bringing this up is because there used to be a TCO calculator but now this is the calculator that you use so the adabs pricing calculator contains 100 plus services that you configure for cost estimate and so you can just click through a bunch of knobs and uh boxes to uh you know uh exactly figure out a very accurate cost so the idea here is that to calculate your TCO an organization needs to compare that existing cost against their adus costs and so the adus pricing calculator can be used to deter DET uh you know the adus costs and obviously the organization knows its cost so it can compare it against that um and the way you can get data out of this is you can export it as a final estimate to AC CSV [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the AWS pricing calculator so to get there it's calculator. AWS what you're going to do is hit create estimate and then here you have a bunch of services so you just choose what you want so you type in ec2 we're going to configure that and from there we can do a quick estimate or an advanced estimate so choose this option for fast and easy route to Ballpark and estimate choose this option for detailed estimate for accounts workloads and stuff so notice down below very simplistic we hit Advanced and we get all sorts of stuff okay so you know it's really up to you I'm very comfortable with the advanced options so I might be running a Linux machine what is my usage it's going to have uh daily spikes of traffic because of the use cases you could say it's not busy on Saturday and Sunday that it has a baseline of one a peak of two eight things like that then you can choose what you're using um t4g I don't even know what that is uh but we'll just say like t uh T2 micro which is not that big T3 micro and you can say we're doing on demand because a lot of people would be doing that and you see like $7 a month it's not a lot of money then you're looking at your storage data in data out okay so we can add that another thing that we might see is something like RDS so we go to RDS and we add postest and not all of them have the simple and complex sometimes they're simple so production database we'll have one here and we're just going to be say a dbt2 micro T T3 micro there we go uh 100 that's fine we're not going to have multi a will have single a on demand show the calculation $13 a month add that to our estimate so you're kind of getting the idea there right um and so you know we have our summary that's our monthly $391 um oh sorry over 12 months our monthly cost is $32 okay you can go back there clone the service edit it stuff like that you can export the estimate I think it goes out as a CSV you can also hit share uh and then hit agree and so then you have a public link and if I have that link we can just see what happens if I paste it okay it just brings them to the same estimate so there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at migration evaluator so it was formerly known as TCL logic and then abis acquired the company and it is an estimate tool used to determine an organization existing on premise costs so it can compare it against its adabs cost for Planned Cloud migration uh so the idea is that you can get a very very detailed information and the way it collects information is via an agentless collector to collect data from your on premise infrastructure to extract from your own on premise costs I don't know if you can see there but you can see that it works with a lot of different kinds of on- premise technology like VMware Microsoft uh tsql all sorts of things okay [Music] one migration tool that we can use with AWS is the VM import export and this allows us to import virtual machines into ec2 so inabus has import instructions for VMware Citrix Microsoft hyperv Windows vhd from Azure and also Linux vhd from Azure and so the way this works is that you prepare your virtual image for upload and adus has a bunch of instructions for that once it is ready you're going to upload that to an S3 bucket and once it's uploaded to an S3 bucket then what you can do is use the ad CLI to import your image um and so that is the CLI command down below and once it is produced it will generate out an Amazon machine image and so from an Ami you can then go launch your ec2 [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the database migration service which allows you to quickly and securely migrate one database to another DMS can be used to migrate your on- premise database to ads and that's why we're talking about it uh and so here's a general diagram where you have your Source database which connects to a source endpoint goes through a replication instance so that's a ec2 instance that's going to replicate the data to the Target endpoint onto the target database uh and so we have a bunch of possible sources so we have Oracle database Microsoft SQL MySQL Mario DB post SQL mongodb Sapa ASC IMDb db2 Azure SQL database Amazon RDS Amazon S3 and I'm assuming these are database dumps Amazon Aurora Amazon document DB and so for possible targets it's very similar we got Oracle database Microsoft SQL MySQL Mario DB post SQL reddis saps SE Amazon redshift Amazon RDS Amazon Dynamo DB Amazon S3 Amazon Aurora Amazon open search service Amazon elasticache for reddis Amazon document DB Amazon Neptune Apachi Kafka I'm just showing you the list to give you an idea of how flexible this service is uh but you can tell that these are very different databases so how can it uh move them over right and so in not all cases can it easily do it like it's very easy to go from myql to postrest um but you know for ones that are like relational to uh nosql uh this is where the adabas schema conversion tool comes into play it's used in many cases to automatically convert a source database schema to a Target database schema or semi-automate it so that you can kind of like uh you know uh figure out how to map the new schema uh each migration path requires a bit of research since not all combinations of sources and targets are possible and it really comes down to even versions of these things so but I just want you to know about that it's an option as a database migration service and I've migrated a very large database before and it's super fast uh so and it's not that hard to use so something you definitely want to remember when you're [Music] migrating hey this is Andrew Brown from exam Pro and we are taking a look at the cloud adoption framework so this is a white paper to help you plan your migration from on- premise to AWS at the highest level the adus CAF organizes guidance into six Focus areas we got business people governance platform security and operations and this white paper is pretty high level uh so you know it doesn't get into uh granular details on how that migration should work uh but gives you kind of a holistic approach and I believe that probably through the adus uh Amazon partner Network there's people that specialize in using this particular framework to help organizations move over and I believe that Abus has Professional Services through the APN but let's just kind of break down what these six categories are we're not going to go too deep into this um but let's do it so the first is the business perspective so these are business managers Finance managers budget owners strategy stakeholders so it's how to up update the staff skills and organizational processes to optimize business value as they move Ops to the cloud you have people perspectives so Human Resources Staffing people managers so how to update the staff skills and organizational processes to optimize and maintain the workforce and ensure competencies are in place at the appropriate time you have governance perspective so cios program managers project managers Enterprise Architects business analysts so how to update the staff skills and organizational processes that are necessary to ensure business governance in the cloud and manage and measure Cloud Investments to evaluate the business outcomes we have platform perspectives so CTO it managers solution Architects so how to update the staff skills and organizational processes that are necessary to deliver and optimize Cloud Solutions and services security perspective so ciso it security managers it security analysts so how to update the staff skills and organizational processes that are necessary to ensure that the architecture deployed in in the cloud aligns to the organization security control requirements resilience and compliance requirements we have operational or operations perspective so it operations managers it support managers so how to update the staff skills and organizational processes that are necessary to ensure system health and reliability during the move of operations to the cloud and then to operate operate using agile ongoing cloud computing best practices so this just Taps the surface of what the CAF is uh and I think for each of these they actually have a more detailed breakdown so you know business is going to break down to even more uh uh finite things there [Music] okay so itus has free services that are free forever unlike the free tier that are up to a point of usage or time um and so there are a lot here this is not even the full list there's definitely more and we have IM am Amazon VPC Auto scaling cloud formation elastic bean stock Ops Works amplify appsync code star organizations Consolidated building a was cost Explorer uh Sage maker systems manager there's a lot of them okay um but the thing is is that uh these services are free but some of these um can spin up other resources so the services are free themselves however ones that provision Services May cost you money so cloud formation which is an infrastructure is a code tool could launch virtual machines those virtual machines will cost money right opsworks can launch servers that can cost money amplifly can launch um lambdas that can cost money so that's something you just have to consider um but yeah there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at the adus support plans so we got basic developer business and Enterprise and you absolutely absolutely need to need to know this stuff inside and out for your exam they will ask you questions on this okay so basic is for email support only uh such as billing and account so if you think it got over bu and that's something you should do if if you''ve uh uh misconfigured something and you end up with a big Bill just go Um open up a support ticket under basic for billing and they're likely to refund you but if you do have questions about billing accounts that's what we're going to be using for everything else that is for tech support um and so for developer business Enterprise you're going to get email support which they'll uh roughly reply within 24 hours I believe this is business hours so if you message them on Friday um or sorry Saturday you might be waiting till Monday for it okay um um in terms of thirdparty support the only one that doesn't have third party support is developer so if you are using something like Ruby on Rails or Azure or something that has interruptibility between AD and something else business Enterprise will absolutely help you out with it same with Enterprise but the developer one not so much uh if you like to use the phone or you like to chat with people um that's available at the business Enterprise tier this is the way I end up talking to people if you are um you know like if you're in North America and you're calling between 9 to 5 and a Monday and Friday you're likely to get somebody that is within North America if not it'll be one of uh one of the supports from some other area so just be aware of that that can also affect the time they pick up uh sometimes it's 5 minutes sometimes it's 30 minutes to to an hour uh you know it just depends on what service you're asking for and you know what time a day okay um in terms of responsiveness uh for General guidance everything is 24 hours or less for developer business Enterprise if your system is impaired it's within 12 hours or less with production system impaired it's four hours or less with production system down it's 1 hour or less and if you're for Enterprise um it's going to be business critical system down less than 50 minutes so just notice who has what for these things um I've definitely waited like three days on General guidance before so just take these with a grain of salt that they're not you know they don't really stick to these that or maybe I'm just not paying enough for them to care okay um in terms of uh getting actual people assigned to you this only happens at the Enterprise level where they have their coner team so they uh help your um organization uh learn how to use datab best asking them any questions personally and then you have a tam a technical account manager that is somebody that knows um aide inside and out and they'll help you architect things and make correct choices or they'll check your bill and help you try to reduce that bill things like that okay in terms of trusted advisory checks at the basic developer you get seven advisory checks once you're paying for business you get all the checks the cost here for business is zero um for developer it's starting at $29 a month for business it's starting at $100 a month and then for Enterprise it's 15,000 a month so I said starting at because it's dependent on your usage okay so let's just look at developer business and Enterprise here because basic's not going to be applicable here so for developers $29 us a month or 3% of the monthly adus usage which whichever is greater on the exam they're only going to ask you like is it $2,900 like generally do you know the tier of expensiveness but they're not going to ask you the percentage of usage okay there's not going to be formulas here um when you get into business it's a little bit uh different where they have it in different brackets so it's going to be 10% for the first uh 10,000 and the next is going to be the next 7,000 stuff like that similar for Enterprise as well so let's just do some math so we know that we understand how this works so if you if you had a monthly spend of $500 at the developer tier that's 3% of $500 is $1 so they go okay what is greater $29 or $15 so you're paying $29 if you're spent is $1,000 that comes up to $30 uh so you're going to end up paying $30 because that's greater than 29 okay for business uh if your monthly spend is a th000 that's 10% of ,000 that's $100 if your spend is $5,000 then you're going to be paying $500 if your monthly spend is 12,000 then the first 10% of a of 10,000 is a th000 and then the next is 7% of 2,000 so your total bill is 140 USD we're not going to do a calculation for Enterprise because it's the same for business but hopefully that gives you an idea there [Music] okay hey it's Andrew Brown from exam Pro and we are taking a look at a technical account manager also known as a tam and these provide both proactive guidance and reactive support to help you succeed with your adus journey so what does a tam do and this is straight from an adus job posting what they would do is build Solutions provide technical guidance and advocate for the customer ensure ad environments remain operationally healthy while reducing cost and complexity develop trusting relationships with customers understanding their business needs and Technical challenges using your technical uh Acumen and customer Obsession you'll drive technical discussions regarding incidents tradeoffs risk management consult with a range of Partners from developers through the seite executives collaborat with a Solutions architect business developers Professional Service consultants and sales account managers proactively find opportunities for customers to gain additional value from AWS provide detailed reviews of service disruptions metrics detailed pre-launch planning being uh part of a wider Enterprise support team providing post scale cons uh uh consultative expertise solve a variety of problems across different customers as they migrate their workloads to the cloud uplift customer uh capabilities by running workshops Brown Bag sessions Brown Bag sessions being sessions that occur at lunchtime something you can learn in 30 minutes an hour and so one thing that's really important to understand is that Tams follow the Amazon leadership principles especially about customer uh being customer obsessed and we do cover the Amazon leadership principle somewhere in this course and Tams are only available at the Enterprise support tier so hopefully that gives you an idea what a [Music] does hey this is Andrew Brown from exam Pro in this fall along I'm going to show you um adus support and in order to use adus support or to change your level support you're going to need to be logged into the root account I should say you can use support with IM users but if you want to change the support plan you're going to have to be the root user so in the top right corner I'm going to support and notice here on the left hand side right now I have a basic plan and so before we look at changing our plan I'm just going to go create a case and we're going to uh just take a look at some of the options that are open to us so we have account billing support service limit increase technical support notice this is gray out so we cannot select anything here I can go to here and increase our service limit and this is something that you might have to do uh pretty soon early in your account you might say hey I need more of something like ec2 or um a very common thing is SCS so for SC you might say hey um I need to have this amount of emails for ETC okay so um if we go over to count and billing support uh we can go here and ask anything we want so if it's about the free tier I could say ask a general question getting started and saying uh what is free on AWS um I want to know what is free on AWS and you can attach uh three attachments there you can choose via uh web and phone which is really nice um but today I'm just going to do web here and submit that just to kind of show you that as an example and so what that is going to do is open a case and then we will see probably respond in 24 hours to 48 hours just depends on um whether it's the weekend or not because it's based on business hours of course so now that we have an understanding of basic let's go take a look at what the other tiers look like so we have basic developer business and ENT enterprise Enterprise being extremely expensive developer being affordable and then business being um you know affordable for businesses so I would say developer is okay it gives you um uh it gives you a better support but it's all via email and so you know if you really want good support you're going to have to pay the business one and that's the one that I use quite a bit so if I change my plan I'm going to go over to business and this is going to cost me 93 bucks just to do to show you here today so I'm going to go ahead and click that and so it's now processing it and so what's going to happen is I'm G to have to wait for this basic to switch to business so if I go to the case here it hasn't happened as of yet so noce I cannot select this so I'm going to see you back here in maybe like four or five minutes or however long it takes and we'll take a look then okay great so after a few minutes it says my plan is now business and what I can do is go ahead and create a new case and so I can go over to technical support and ask a question so if I was having issues with anything it doesn't matter what I could go over to ec2 Linux and then I could choose my category so I could say I'm having an issue with um systems manager and a lot of times they like you to provide the instance ID it's going to change based on what service you choose here um but you'll get different information I'll just say I need help with um logging into my ec2 instance managed by SSM so I can say I created an ec2 instance and I am attempting to access uh the instance via sessions manager but it is not working I think I have a rooll issue and then I'm just going to go down here and say this is not a real question I am filming a demo video for or tutorial video on how to use support okay and so once we do that we have the option of web chat and phone so if you use phone you're going to enter your phone number in and they're going to call you back uh usually you will be on hold for anywhere for 5 minutes to an hour it just depends usually it's within 15 minutes so it's very good of course it depends on the time of day and your location things like that and the service because there's different uh support Engineers for different types of services and the the balance of those are different but generally chat is pretty good so I can go here and I'm just going to hit submit and it's going to open a chat box and so you just wait okay and sometimes it's super fast and sometimes it takes uh minutes okay so we are going to just sit here for a bit and um you know I'll just pop back here when there is somebody to talk to okay okay so after waiting a little while looks like uh we've been connected here so it took a bit of time so we're just going to say hello hi um uh this this is Andrew Brown um I am recording a video to teach people how to use AWS and I wanted to show them how AWS support works so I'm just showing them how the chat system works say hello and hopefully they'll appreciate or they won't it just doesn't really matter we'll give them a moment there we go that's it thanks for your help okay and so that's pretty much it um so you know there's nothing really uh uh special about that but the idea is when you are typing with them it will appear in the correspondence there so I'm just going to end the chat okay uh and then I'm just going to mark that case as resolve sometimes they will ask you to resolve it if I go to cases I probably have some previous ones here um I have a lot but I don't know why they don't all show up here so you can see this one is pending this one is resolved I go back to this one you can kind of see that the uh history of a conversation is kept and you can go back and forth uh with the people there um yeah that's pretty much it uh you can also do screen sharing so they might send you request to go on Zoom or download this piece of software that shares your screen and so that is another option as well so they can get pretty handson to help you uh with your problems there but that's pretty much all I want to to show you with support I'm going to downgrade this and I'm not sure if they're going to give me back my money sometimes they'll prate it for you but I'm go here and go back to basic um so we will also refund your credit card directly in the month's remaining fees on your old plan which you previously paid you're obligated to pay a minimum of 30 days of support each time you register so I'm not going to get any money back which is totally fine because I just wanted to show you how that works but business support is definitely worth it and uh you know that's it [Music] so the anabis marketplace is a curated digital catalog with thousands of software listings from independent software vendors uh easily find buy test and deploy software that already runs an ads the product can be free to use or can have an Associated charge the charge becomes part of your adus bill and once you pay adus Market pays the provider the sales channel for isv and Consulting Partners allow you to sell your solutions to other adus customers products can be offered such as Ami a CL information templates software of service offerings web ACLS ABS WAFF and rules so it sounds great um if you want to sell here I think you need like a US bank account to do it um and you know sometimes Aus Marketplace is just part of AWS so like when you're using the ec2 marketplace you are technically using the itus marketplace um but they also have like a dedicated page for it so it's integrated with some services and it's also Standalone okay [Music] hey this is Andrew Brown from exam Pro and in this follow along we're going to take a look at the adus marketplace so what I want you to do is go on the top and type in Marketplace and that will bring us over to here the marketplace can be found in a variety of different places on the platform here you can see that uh previously it was using something called guacamole Bastian host to launch a server um but the idea is that um you can discover products and subscriptions that you might want to utilize so if I go over here there's a variety of different things and so it could be like I want to have something like a firewall that might be something that we might be interested in so we could search there and there's like bring your own license firewall so maybe you have a license with this and you want to run it on an ect2 instance something like that again it's not like super complicated U what's going on here but a lot of times you know when you're using Services you're accessing the marketplace anyway so like when I'm launching an ec2 instance notice on the left hand side says ABS Marketplace and so I don't have to go to the marketplace there I can just kind of like check out the thing I want um and that's pretty much all there really is to it okay so you know hopefully that makes sense let's take a look here at Consolidated billing so this is a feature of Abus organizations that allows you to pay for multiple accounts via one bill so the idea here is we have a master account and we have member accounts and I I'm pretty sure that we probably call this root account now I don't think uh master account might be a data term but it's still showing up in the document mentation the idea is that if you have member accounts within your organization they're all going to be Consolidated under the single account if you have an account outside of your organization um you know this is not going to give you uh this is going to be basically a separate bill um as if it's like a standalone organization or what have you okay so uh for billing adus treats all accounts in an organization as if they were one account you can designate one uh uh master or root account that pays the charges for all the other member accounts consolidate billing is offered at no additional cost you can use uh cost Explorer to visualize usage for Consolidated billing which we can see I have the icon here uh you can combine the usage across all accounts in the organization to uh to share the volume pricing discount which we did Cover in this course separately if you want an account to be able to leave the organization you do have to attach it to a new payment method so if let's say you had an account and you want to give it to your friend or whatever they're have to hook up their uh their credit card but you can totally have have uh an account leave an organization but you have to deal with that billing aspect [Music] okay all right so there's a really cool way to save an ads and that's through volume discounts and it's available for many services the more you use the more you save is the idea behind it um and so consolidating building lets you take advantage of volume discounts this is a particular feature of adus organization so if you do not have the or turn on you're not going to be able to take advantage of that okay so example would be something like data transfer where it is build uh for the first 10 terabytes at at 17 cents or sorry 17 cents and then the next 40 terabytes it will be AT3 cents okay so if we had two accounts um such as Odo and Dax and they're not within an abl organization we can calculate those and see what they are unconsolidated and just so you know one terab equals 1024 gabes and that's what you're going to see in these calculations so for Odo uh you know if you has 4 terabytes and that is uh we calculate the gigabytes there we times it by uh the um scent value there we're going to get $696 okay for Dax we're going to end up with uh about $ 1392 there and so if we were to add those up the bill would come out to $2,088 okay so the idea is that there's an organization and they like a your company and they created two accounts but they're just not within an organization by having them in the organization you're going to save um about almost $80 there so um that is a reason why you'd want to use volume discounts [Music] okay hey this is Andrew Brown from exam Pro and we're taking a look at Abus trusted advisor so trusted advisor is a recommendation tool which automatically and actively monitors your adus accounts to provide actional recommendations across a series of categories so this is what it looks like I personally prefer the older dashboard but this is what they have now and you can see along the side we have a bunch of categories and then we have some checks here saying uh you know what are we meeting what are we not and you can go in and read each one and they'll tell you so much information they'll even show you like what things are not meeting that requirements in some case you can easily remediate by pressing a button not in all cases but the thing with ad trust advisor is think of AD trust advisor like an automated checklist of best practices on AWS and they kind of map to the pillars of the well architecture framework not exactly but pretty close but there are five categories of adus trusted advisor so we have cost optimation how much money can we save performance so how can uh we improve performance security how can we improve security fall tolerance how we can we prevent a disaster or data loss and service limits so are we going to hit the maximum limit for a service and so uh the next thing we need to discuss is um there's a VAR creation of the amount of checks that are available to you based on your support plan so you know if you're using basic or developer you have seven trusted advisor checks and if you have business Enterprise you have all the trusted advisor checks so uh if we're talking about just the ones that are available to you the ones that come for free is MFA on root account security groups specified ports of unrestricted Amazon S3 bucket permissions Amazon EBS public snapshots Amazon RDS public snapshots I amus so this is just about alerting you about discouraging the use of the root account service limits so all service limit checks are free um it's weird cuz they call it the like seven Security checks but if you counted all the service limits it obviously be too large of a number but notice that 1 through six are all Security checks so you're not getting anything from the other tiers just the security tier and what I want to do is just go over a bunch of available checks out there it's probably not the full list because I couldn't even be bothered to update it if they've added more but it will give you a general idea of what you could expect under each category so for cost optimization um it could be things like looking at idle load bouncers so you know if you have load bouncers you're not using you're paying for them so get rid of them unassociated elastic IP addresses so for every IP that's not associated you're paying for as well maybe under performance you have um High utilization of Amazon ec2 instances so maybe you can save money by switching to smaller instances under security we saw MFA on rout account very popular one making sure you turn on key rotation could be something as well there under fault tolerance um it could be making sure that you're using backups on your Amazon RDS database maybe that's turned off uh for service limits there's just a ton of them and so uh one that that you know might be PR to use vpcs or ec2 limits so there you [Music] go hey this is Andrew Brown from exam Pro and we're going to take a look at trusted advisor so what I want you to do is go to the top and type in trusted advisor and once you're there you're going to notice on the left hand side we have cost optimization performance security fault tolerance and service limits right now there are no recommended actions because there's not much going on this account and when you uh have the uh Free level of support the basic support you're not going to have all these checks but if we go in here we can still see kind of what they do um so we have like performance security things like that so these are the ones that we actually can see and they generally work all the same way if you expand here it's going to say Amazon EBS public snapshot so check the permission settings for the EBS volume snapshots and alert you if the any snapshots are marked as public and so if you scroll on down if there were ones that were an issue it would tell you right here okay then down below here we see like check buckets in Amazon S3 that have open access permissions or allow access to authenticated adist users so yellow the ACL allows uh list access for everyone uh a bucket policy allows for any kind of Open Access bucket policy statements have public Grant access so maybe what we can do is to see if we can get this to trigger and so what I'm going to do here is go over to S3 and what we're going to do is make a B bucket that has a full axis okay so I'm going to create a new bucket and it'll say my exposed bucket we'll scroll on down here and we'll just checkbox that off and create the bucket we say I acknowledge that is totally fine okay so now I have a bucket that is 100% exposed if we go back to trust advisor give this a refresh I'm not sure how fast it will show up here but if I expand so it says the bucket ACL allows upload delete for everyone The Trusted adviser does not have permissions to check the policy uh bucket policy has statements that Grant Public Access so what we could try to do is make a policy and try to Grant all access here so I'm not writing these every single day but I'm sure we could try to figure this out um we'll say S3 bucket policy Public Access public read and so that one might be a good example so I'm going to go ahead and copy this one granting readon permission to anomymous users I don't recommend you doing this I'm just doing this to show you to see if we can get the trusted advisor to check because I don't want you to uh do this and forget about it and then have a serious issue but the principle is set to anybody so anyone can read it here it's saying get object Etc then it's saying what particular resource so this one is going to be for uh the bucket in question here which is my exposed bucket we're going to scroll on down save the changes okay so this bucket is publicly accessible we're going to go back over here refresh and see what we can see okay so checks buckets in S3 Etc so it should appear under here and it could be that it's just going to take some time so what I'm going to do is I'm just going to hang tight for a little bit oh there we go okay so it's showing up and I guess it just took some time top poate and so here we can see we have a a yellow symbol it's a warning saying hey there's a problem here if we go back to the dashboard I wonder if that shows up so this one's for investigation and recommendation so you know hopefully that kind of makes sense to you I think in some cases you can do remediation from from here or at least you can go and check box and say okay um ignore could of swore there was remediation for some of these but in any case you know that's generally what trusted advisor does um I think that you probably can have it so it gives you alerts so yeah you could set recipients for particular things like if there's a security issue then I could email a particular person on your team and they could deal with it but that's pretty much it so what I'm going to do is go ahead and delete this bucket I'm all done with it we'll go delete and say my delete uh my exposed bucket here to delete it and that is it okay [Music] let's cover the concepts of service level agreements also known as SLA so an SLA is a formal commitment about the expected level of service between a customer and provider when a service level is not met and if customer meets its obligation under the SLA customer will be eligible to receive compensation so Financial or service credits and so when we talk about slas then we talk about SLI so SLI service level indicator is a metric or measurement that indicates what measure per performance the customer is receiving at a given time a SLI metric could be uptime performance availability throughput latency error rate durability correctness and if we're talking about sis then we're talking about slos service level objectives so the objective that that the provider has agreed to meet SLS are represented as a specific Target percentage over a period of time and so an example of a Target percentage would be something that says an availability SLA of 99.99% in a period of three months all right and let's just talk about Target percentages and the way they can be represented very common ones we will see is 99.95% 99.99% uh then we have 99 followed by 99 and so commonly we just say we call this 99 okay and then there's one 911s so if somebody says we have an SLA guarantee of of 9911 it's going to be the 99 followed by 911s all right [Music] let's take a look at Abus service level agreements and so there are a lot of them and I just wanted to just show you a few services to give you an idea how they work uh on the exam they're not going to ask you like oh what's dnb's SLA for Global tables um but generally we should just go through this because it's good practice so let's take a look at dynamodb SLA so adus will use commercially reasonable efforts to make dyab to be available with a monthly uptime percentage of each adus region during any monthly billing cycle uh so for a at least 99.999% if Global tables slas applies or 99.99% if the standard SLA applies and the event Dynamo DB does not meet the service commitment you'll be eligible to receive service credits described below so we have monthly uptime percentage and the service credit percentage we get Global tables standard tables so let's take a look here so if less than 99.999% but equal to or greater than 9 9.0% is met so if if the service ends up being this you'll get 10% back of what you spent as service credits if it drops between U 99.0 and 95.0 you get 25% back if it's less than 95 uh percent um then it's 100% back okay and you get the general idea here SLA is going to be slightly different with their drops now let's take a look at um a compute and so compute is going to apply across a bunch of compute services probably because they're all using ec2 underneath so that's probably the reason for it so we have ec2 EBS ECS eks and Abus uh makes two SLA commitments uh for the included services so we have a region level SLA that uh governs included Services deployed across multiple azs or regions and an instance level SLA that governs Amazon ec2 instances individually and again we have our monthly up up time percentage our service C percentage region and instance level so you can just see the same thing it's like it's going to change based on uh what it can meet then we'll take a look at one more like RDS so a relational database service so it will use commercially reasonable efforts to make multi- a instances available with monthly uptime percentage of 99.95% during any monthly billing cycle and again you know if if they don't meet those requirements you're going to get service credits back which basically equal USD dollars on the platform and so for this it looks like that so just notice that you know with like compute it was for a a bunch of services for Dynamo DB it was based on uh particular features like global standard tables SLA it's very straightforward uh we didn't do S3 because I just did not want to show you that one it was just too complicated but my point is is that it's going to vary so you have to look up per service [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at Amazon's service level agreements and so the way you find slas is you pretty much just type in SLA for whatever it is so if you're looking for compute you type in SLA or you look for a particular service so maybe you say sage maker SLA AWS I don't think there's like a generic SLA page at least I don't know where it is I always just type in SLA to find what it is and through that you can just kind of read through and try to find out uh the things that that matter to you for your business [Music] okay let's take a look here at the service Health dat board and so the service Health dashboard shows General status of adus services and it's really simple the idea is that you can uh check based on the geographic area so you'd say North America Europe Etc and what you'll see is an icon that says whether the service is in in good standing and the details whether the service is operating normally Etc notice they also have an RSS feed the reason I'm talking about service Health dashboards is because I want to talk about personal health dashboards and because they're both called Health dashboards it's confusing so I wanted to to tell you about this one first so now we'll jump into the adus personal health dashboard so we saw the service Health dashboard now let's take a look at the adus personal health dashboard so this is what it looks like and it provides alerts and guidance for adus events that might affect your environment all adus customers can access the personal health dashboard the personal health dashboard shows recent events to help you manage active events and show proactive notifications so that you can plan for scheduled activities you uh you can use these alerts to get notified about changes that can affect your aess resources and then follow the guidance to diagnose and resolve the issue so this is very similar to the service Health dashboard but it's personalized for you um and it's uh you know I I don't see it crop up very often but if you had to create alerts or be reactive to uh things that are happening within your bus this is where you do it okay so there's a team called adus trust and safety that specifically deals with abuses occurring on the adus platform and so I'm going to just list of all the cases where you'd want to be contacting them as opposed to support so the first is Spam so you're receiving unwanted emails from an Abus owned IP address or adus resources are used to spam websites or forms Port scanning your log show that one or more adus owned IP addresses are sending packets to multiple ports on your server uh you also believe uh this is an attempt to discover unsecured ports uh dos attack so your logs show that one or more itus owned IP addresses are used to flood ports on your resources with packets you also believe this is an attempt to overwhelm or crash your server or the software running on your server intrusion attempts so your logs show that one or more ad owned IP addresses are used to attempt to log into your resources hosting prohibited content so you have evidence that adus resources are used to host distribute prohibited content such as illegal content or copyrighted content without the consent of the copyright holder Distributing malware so you you have evidence that abis resources are used to distribute software that was knowingly created to compromise or cause harm to computers machines that it's installed on and so in any of these cases you're not going to adus support you're going to open up an abuse ticket and so you got to contact abuse at Amazon aus.com or fill out the uh uh Amazon abuse uh form so and this is whether it's coming from uh an outside AOS account or even you're internally if you think that some someone is compromise your account and it's being used in any of these ways uh this is what you're going to do [Music] okay hey this is Andrew Brown from exam Pro and we're looking at ads abuse so uh we were saying that ads has the ads trust and safety team and what you'll want to do is if you uh find that there's an issue you're going to report it to this email at abuse Amazon.com or you're going to use this form which is the report Amazon a abuse so you'll go down here you'll sign in you'll put your email email in your first name last name or phone number um The Source IP the the details uh uh in uh here you can even select the type of abuse so you say if it's this kind or that kind things like that it's very straightforward um and that's pretty much it [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at the itus free tier and this allows you to use adus at no cost um and when we say free tier there there there's the idea of the first 12 months of sign up there's going to be special offerings or it's free usage up to a certain monthly Limit Forever um and then there's just services that are inherently free which we have a total separate slide on but let's talk about just the free tier stuff and this is absolutely not the full list um but uh it's a good ide like it gives you a good um overview of stuff that is free so for ec2 which you use a web server you get a T2 micro for 750 hours per month for one year and so there's about 730 hours um in a month and so that means you could have a server running uh the entire month for free uh and an additional server for a bit as well so for RDS which is a relational database service for either my school or postgress we can do it T2 DB micro for 750 hours for free so there we get our free database and you would be surprised how far you can get with a uh a T2 DB micro um you know even for a mediumsized startup you can run it on uh a T2 DB micro with no problems then you have your elasic load balancer you get 750 hours per month for one year um so that is a really good thing uh load balancers usually cost $15 a month so that's great actually all these pretty much cost $15 a month so that's about um 1530 $45 month over month for a year that's uh free then you have Amazon cloudfront this is where you'd have your homepage caching your videos things like that so you get 50 GB data transfer out for the total of year then there's Amon connect you get your total free number there 90 minutes of a call time per month for one month or for one year sorry Amazon allows to cash so you could launch a redis or elastic cach server you get 70 hours on a cash T3 micro for a year um elastic search service so this is full Tech search so again 750 hours per month for one year pinpoint campaign markting email so you can send out 5,000 targeted users per month for one year SC so um simple email uh service so this is for um transactional emails um so that you send out from your web app so 62,000 emails per month forever it those code pipeline so one pipeline free it was code build so uh this is for building out projects or things like that so 100 build minutes per month forever it was Lambda service compute 1 million free requests per month 3.2 million uh million seconds of compute time per month for free uh and you know I like to highlight these ones because for traditional architecture you're always going to have a web server a database a load balancer um and you might even have cloudfront in there as well but uh yeah again there's a huge list and this does not even tap the surface of what's free on [Music] AWS hey this is Andrew Brown from exam Pro and we are taking a look at adus promotional credits and these are the equivalent to USD dollars on adus platform adus credits can be earned several ways this could be joining ad activate startup program winning a hackathon participating surveys and any other reason that ad us wants to give credits out uh once you uh have um a promotional code you click the redeem credit button in the billing console you enter it in and then your credits will be shown there you can monitor them via it budgets or uh via cost Explorer and probably even building alarms itus credits generally have an expired dat tax them could be a few months uh to a year itus credits can be used for most services but there are exceptions where itus credits cannot be used like purchasing a domain via row 53 because uh that domain costs money outside of adses cost like for their infrastructure and virtual stuff and so for things like that uh you know they're not going to be you're not going to be able to use credits for that [Music] okay the adabas partner Network also know as APN is a global partner program for ad best so joining the APN will open your organization up to business opportunities and allow exclusive training and marketing events so when joining the APN you can either be a Consulting partner so you help companies utilize datab bus or a technology partner you build technology on top of ABS as a service offering and a partner belongs to a specific tier so it's either going to be select advance or Premiere when you sign up it's free to sign up but you're not going to be able to do much until you start uh committing to an annual fee so that's it's like a certain amount of money to uh be able to be part of that tier and it starts in the thousands okay so I think the first tier is like something like a th000 or $2,000 and it gets uh more expensive as you go up as a tier and you also have to have particular knowledge requirements so this could be holding uh particular adus certifications at the at the foundational level at the associate level things like that um or it could be adus APN exclusive certification so training that um is not adus certifications but there's certifications that are only available to Partners saying like how do you it could be like something like how do you uh talk to customers or communication things like that you can get back promotional Abus credits so you know if you say Oham I spent uh $22,000 on just being able to uh get into the APN at least the idea is that you can generally get back that uh that spend on AWS so it's like you committing if you give like $2,000 it's like you're going to commit to keep using AWS I'm not showing the annual fee commitments here and the promotional credits that you get back just because they've changed it a couple times on me and I just don't want this slide to go stale in case they happen to change it again so you'll have to look that up to find out what they actually are right now uh you can have unique speak speaking opportunities in the official adus marketing channels like the blogs or webinars being part of the APN is a requirement to be a sponsor with a vendor booth at ads event so when you when you go to reinvent or any ads um event all the vendors are part of the APN all right so they've paid their fee and now they paid an additional fee to get their Booth but um yeah AB partner network uh is very good for uh uh helping you find new business and connecting with other people that are building workloads on AWS but hopefully that gives you an idea of how works [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at abis budgets so Abus budgets gives you the ability to set up alerts if you exceed or approaching your defined budget create cost usage or reservation budgets it can be tracked at the monthly quarterly or yearly levels with customizable start and end dates alert support ec2 RDS red shift elastic cast reservations uh and so the idea here is you can choose your budget amount so it could be like $100 it'll even show you what was the last amount if you're uh resetting the budget there something new you can choose based on a different kind of unit so if you wanted to be based on running hours on ec2 you could totally do that is budgets can be used to forecast costs but is limited compared to cost Explorer or doing your own analysis related with cost and usage reports along with business intelligence tools budgets uh based on a fixed cost or or you can plan your cost uh UPF front based on your chosen level can be easily managed from the ads budgets dashboard via the ads budgets API get notified by providing email or chatbot and threshold uh how close to the current or forecasted budget um so you'd see a list of budgets here uh current versus forecasted the amount used things like that you can see your budget history you can download a CSV uh it'll show you the cost history right in line there which I can't show you it it's hard to see there you get the first two budgets are free so there's no reason not to set a budget when you first first get into AWS and each budget costs about uh 002 cents a day so it's like 60 cents um uh USD per month for budget so they're very cheap to use and you got a limit of 20,000 budgets you're going to be in good shape [Music] okay let's take a look here at Abus budget reports which is used alongside abos budgets to create and send daily weekly or monthly reports to monitor the performance of your Aus budgets it will be emailed to specific emails so it's not too complicated here you say create the report budget choose your frequency uh the emails you want um and budget report serves as a more convenient way of staying on top of report since they're delivered to your email instead of logging into the abis Management console so it's just for those people that just can't be bothered to log in [Music] okay let's take a look here at abis cost and uses report so generate a detailed spreadsheet enabling you to better analyze and understand your Aus cost so this is kind of what it looks like and when you turn this feature on it will place it into an S3 bucket you could use something like Athena to turn the report into a queriable database since it's very easy to consume S3 csvs into Athena you could use Quick site to visualize your building data as grass so quick site is a business intelligence tool similar to Tableau or powerbi you could also ingest this into red shift um but the idea here is when you turn it on you can choose how granular you want the data to be hourly daily or monthly if you turn on daily you'll be able to even see spikes of uh of of of costs for uc2 instances which is kind of nice the report will contain cost allocation tags um which I think we have a separate slide on that type of tags and the data is stored in e as either a CSV it'll be zipped or it will be a parket format it just depends on how you want it um uh for that [Music] okay let's talk about cost allocation tags so these are optional metadata that can be attached to adus resour resources so when you generate out a cost and uses report you can use that data to better analyze your data so what you'd have to do is make your way over to cost allocation tags and need to activate the tags you want to show up there are two types of tags so we have user Define so whatever you've previously tagged will show up probably there you turn it on so if you made one with project you turn on project and there's a lot of adus generated ones that you can turn on so there's a huge list there but uh yeah that's particular with cost um usage and reports if it says like cost allocation reports it's just that's what cost and usage reports used to be called um and some of the documentations a bit old there but yep there you [Music] go so you can create your own alarms in cloudwatch alarms to monitor spend and they're commonly called building alarms uh and so it's just a regular alarm but it's just focused on spend but in order to do this you have to turn on building alerts first in order to uh be able to use it uh and then you'll go to cloudwatch alarms and you can choose billing as your metric and then you just set your alarm however you'd want billing alarms are much more flexible than abess budgets and are ideal for more complex use cases for monitoring spend and usage in terms of alerting so you just have to decide what you want to do uh before it those budgets this was the only way to do it and so this is the way I'm used to doing it and I still do it this way today but uh you know both options are valid and just have to decide what is your use case okay let's take a look at Abus cost Explorer which lets you visualize understand and manage your Abus cost and usage over time so uh here's a big graphic of Adis cost Explorer and you can specify time and range and aggregation and it has a lot of robust filtering um what's really nice is that they have a bunch of default reports for you so I'm just going to get my pen tool just to show you where that button is it's over uh here uh if you can see my marker there but but you know you can look at things like monthly cost by service monthly cost by linked account daily cost a this Marketplace R utilization so there's a bunch there you can also notice you can create your own report so if you do find something that you like you can save it for later um you can you could have access to forecasting here so you get an idea of the future costs and whether it's been it's gone up or down just to kind of zoom in on some of those filtration options you can choose um either monthly or daily level of of how you want the data to be grouped together and you have a lot of filter control so if I want to just have ec2 instances for a particular region then I can get that filtered information over here and you can see you have a breakdown of the different types so it's very detailed and class Explorer shows up in Us East one I'm pretty sure if you click on class Explorer it will just switch you over to that region but just understand that's where it lives [Music] okay hey this is Andrew Brown from exampro and in this video I want to show you ad cost Explorer so what we'll do is go to the top here and and actually on the right hand side we're going to click on the right and go to my billing dashboard and from there on the left hand side we're going to look for cost Explorer and then click launch cost Explorer and this is where we're going to get to the ad ofs cost management dashboard where this is where we find savings plans reservations things like that on the left hand side click on cost Explorer and you can get this nice chart and so the idea is you can change it from monthly to daily if you if you uh prefer okay you can change the scope here maybe we don't need six months we can just go back um three months here so there's less data it is a bit delayed when I'm clicking here so it also could be just because I'm doing the daily instead of monthly so you just have to be a little bit patient when uh using this interface you can change it to stack line graph you can kind of see the details there it's not always clear like what others is or things like that and so uh you can drill down and there's like ways of applying fil filters and things like that I always forget how to uh do this it's because it's it's bringing everything in so you have to hit clear all first I think and um oh you have to click into it so like if you wanted to click into it and pick a particular service we could go here and type in ec2 and say ec2 instances and then apply that filter so now we can just see exactly that cost or if we want to choose use like maybe just RDS okay so you know that could be useful for you to see but yeah sometimes it's not always clear and so what I recommend is just go back to your billing dashboard and from there just go to bills okay bills is really really useful because here it shows you exactly every single little service that you're being built for you can expand it and see exactly where if you have other accounts you can go into this side here as well and find spend that way um but cost Explorer is very useful just it's useful in a different way okay so there you [Music] go hey this is Andrew Brown from exam Pro and we are taking a look at the adus pricing API so with adus you can programmatically access pricing information to get the latest pricing offerings for services this makes sense because databus can change them at any time and so uh you know you might want to know exactly what the current price is uh there are two versions of this API so we have the career API known as the pricing service API and you access this via Json and then there's the batch API also known as the price uh list API via HTML what's odd is that um the batch API returns Json but you're accessing it via HTML so you can literally paste those links in your browser for the query API you're actually sending an an application Json request so you'd have to use something like Postman or something uh you can also subscribe to SNS uh notifications to get alerts when pricing for the Services change adabs prices change periodically such as when adabs Cuts prices when new instance types are launched or when new services are introduced so there you [Music] go hey this is Angie Brown from exam Pro and what I want to do here is show you savings plans and so savings plan is going to be found under the a cost Explorer so just type in cost Explorer at the top here or if you want you can type in savings plan as well and once we are here on the left hand side we are going to have uh savings plans options so we're going to go to the overview and here it just describes um what are savings plans if you want to read through it but down below if you have already some spend happening it's going to make some suggestions and in this particular account it's saying that I could save some money on compute before we take a look here I'm just going to go to the form here and see what we can see so up here we can say a commitment through three years by the way you have compute savings which applies to ec2 fargate or Lambda then you have the ec2 specific one where uh we can select a very particular type of instance family and then there's the sage maker savings plans um but if we go here and we just enter in like $2 all up front uh I don't really understand it from here because it doesn't make it clear what the savings are um but uh I what it does make it very easy is probably if we go over here and then click down on the compute so I kind of feel like here would autofill it in for you and so here I filled it in uh or sorry it's filled in for me and so here it's saying with a one-year plan all up front for based on the past 30 days that it's going to see that I'm going to see a monthly savings of $25 36 and then I can add it to the cart that way and I kind of feel like that is the easiest way to um figure that out where with um with how it was going to that form I just configured out myself what the savings were uh there are some utilization reports and coverage reports honestly I've never really looked at these before um but uh I'm just curious like what we're looking at monthly daily the last let's go a few months here I've been running stuff in this account for a while so there should be something apply so nothing nothing of interest but um I mean I guess you have a lot of use and coverage report and utilization report could be interesting but I imagine it's maybe you have to be using you have to have a savings plan before you can see this so that's probably the reason why um but yeah hopefully that gives you a clear idea that you know you can just go down to those recommendations and and see exactly what you can save and you just add it to your cart and then once you want to pay for it you just choose to submit that order and you're all good to go all right so that's savings [Music] plans let's take a look here at defense in depth to understand the layers of security ads has to consider uh for their data centers for their uh virtual workloads and things that you also have to consider when you are uh thinking about security for your Cloud resources so in the most interior we have data so this is access to business and customer data and encryption to protect your data then we have applications so applications are secure and free of security vulnerabilities then you have comput so access to Virtual machines ports on premise and Cloud you have the network layer so this limits communication between resources using segmentation and access controls you have the perimeter itself so distributed denial of service protection to filter large scale attacks before they can cause denial of service of users you could say that's part of the network layer and that's what I say there are variants on this but we're just separating it out uh explicitly there we have identity and access so controlling access to infrastructure and change control and then there's the physical layer so limiting access to data centers to only authorized Personnel you'll notice I highlighted identity and access in yellow it's because that is considered the new primary um perimeter from the customer's perspective of course ad has concern about the physical perimeter and things like that but as it as a customer that's what you're going to be thinking about especially with the zero trust model and when you see these depths the idea is that in order to get here you have to pass through all this stuff so if this um if this outward one is protected pretty well then you generally don't have to worry about the Interiors but of course you should um but yeah there you go let's take a look here at confidentiality integrity and availability also known as the CIA Triad is a model describing the foundation to security principles and their trade-off relationships so here is our Triad so we have confidentiality so confidentiality is a component of privacy that implements to protect our data from unauthorized viewers in practice this can be using cryptographic keys to encrypt our data and using keys to encrypt our keys so envelope encryption then we have integrity so maintaining and ensuring the accuracy and completeness of data over its entire life cycle in practice utilizing asset compliant databases for valid transactions utilizing tamper evident or tamper proof Hardware security modules hsms availability so information needs to be available when needed in practice so high availability mitigating dos uh decryption access so the CIA Triad was first mentioned in N publication in 1977 there have been efforts to expand and modernize or Alternatives the CIA triab so one was in 1998 for the six Atomic elements of information uh or in 2004 we have the N engineering principles for uh for information technology security so has 33 security principles but this is still a very popular um model for security uh and it's just to kind of tell you like you know you don't always get everything you don't get all three of them sometimes you have to trade off in your scenario um you know and hopefully some of the terminology here will uh resonate as we go through more security [Music] content what I want to do here is just Define the term vulnerability so a vulnerability is a whole or weakness in an application which can be designed a design flaw or implementation bug that allows an attacker to cause harm to stakeholders or applications and uh there's a lot of great definitions of vulnerabilities but OAS has a ton of them and we talked about OAS when we talk about Abus Waf uh but it's an organization that creates security projects that help you know what you should protect uh or gives you a working examples so that you can understand how to get better at security and so they have a lot of ones here but maybe you'll might notice some here like using a broken or risky cryptographic algorithm maybe there's a memory leak least privilege violation so that's um uh lease privilege is something that is a thing that you're always worried about insecurity improper data validation buffer overflows so you know just to kind of set the tone of what a vulnerability is and things you should be thinking about [Music] okay let's understand what encryption is but before we do we need to understand what is cryptography so this is the practice and study of techniques for secure communication in the presence of third parties called adversaries and encryption is the process of encoding or scrambling information using a key and a cipher to store sensitive data in an unintelligible format as a means of protection uh an encryption takes in plain text and produces produces a cipher text so here's an example of a very old um encryption machine this is the igma machine used during World War II and it has a different key for each day that it was used to set the position of the rotors and it relied on simple Cipher substitution and so you might be asking what is a cipher and that's what we're going to look at [Music] next so what is a cipher it is an algorithm that performs encryption or decryption so Cipher is synomous with code uh and the idea is that you use the code to either unlock or or lock up the information that you have so what is a cipher text a cyer text is the result of encryption performed on Plain text via an algorithm so you lock that up you scramble it it doesn't make sense and you need that code to unlock it to get the information so a good practical example back in the day was a code book and this was a type of document used for Gathering and storing cryptographic codes or ciphers so the idea is if we zoomed up on here notice where we have cannot so uh and it would be 0 0 and then there would be give them Authority so the idea is0 0 or if you had the word cannot it would translate to z0 and then you use z0 to match that up to say what does that actually mean and so that is kind of a very practical example of ciphers in [Music] action so we just took a look at encryption but what are cryptographic keys so a c a cryptographic key an easy way to think of it is a variable used in conjunction with an encryption algorithm in order to encrypt or decrypt data and there are different kinds of um ones we have so we have symmetric encryption so this is where we have the same key that is used for encoding and decoding uh and a very popular one and the one you will see on AWS is called Advanced encryption standard AES so just take a look at that graphic very closely so we have one key and it is used to encrypt so it produces the cipher and then or Cipher text we should say and then it will uh decrypt and we will get our plain text so one single key then we have a symetric encryption so two keys are used one to encode and one to decode and a very popular one here is RSA if you're wondering what those uh those words are it's three people's names put together who helped uh invent this type type of algorithm and so here we have uh one key for encrypt and one key for decrypt and they're two different Keys all [Music] right all right let's look at the concept of hashing and salting so for hashing we have a hashing function and this accepts arbitrary size values and Maps it to a fixed size data structure hashing can reduce the size of a store value and hashing is a one-way process and is deterministic so a deterministic function always returns the same output output for the same input so if we have something like John Smith and we pass it to the hash function it's going to create something that is not human readable but it'll say something like 02 Fae X XY whatever um and it will always produce the same thing if the same key or you know value is being inputed there so the reason we use hashing functions or hashing General is to Hash passwords so hash functions are used to store passwords in a database so that the password does not reside in a plain text format so you've heard about all these data breaches where they've stored the password in plain text this is the thing that helps us avoid that issue um and the thing again is it because it's one way you can't take that hash and unhash it um well there are some conditions to it but so to authenticate a user when a user inputs their password it is then hash so the one that was inputed at the time of you know login and then that hash is compared to the stored hash in the database and if they match the user is successfully logged in so in that case we never ever had to know what the original password looked like uh popular hashing functions are md5 Shaw 256 or bcrypt uh if an attacker knows the function you are using uh and uh and stole your database they could enumerate a dictionary of passwords to determine the password so they'll never see it but they could just keep on going through that so that's why we salt our passwords so a salt is a random string not known to the attacker that the hash function accepts to mitigate the deterministic nature of a hashing function so there you go [Music] let's take a look here at digital signatures and signing so what is a digital signature it is a mathematical scheme for verifying the authenticity of digital messages or documents and a digital signature gives us tamper evidence so did someone mess or modify the data is this data from uh someone we did not expect it to be is it from the actual sender and so we kind of have this diagram where we have a person who sends or is going to send a message so they sign it and then uh Bob ver ifies that it was for the person who it's from so there are three algorithms to a digital signature the key generation so generates a public and private key um then there is signing the process of generating a digital signature with a private key and the inputed value so signing which is what is happening up here signing verification verifies the authenticity of the message with a public key so remember the private key is used for signing and the public key is used for verifying SSH uses a public and private key to authorize remote access into a remote machine such as a virtual machine it is common to use RSA and we saw that RSA is a type of algorithm earlier and so SSH hyphen keyen is a well-known command to generate a public and private key on Linux I know this one off the top of my head I always know to do this um and so what is code signing so when you use a digital signature to ensure computer code has not been tampered and so that's just a like subset of digital signatur so you can use this as a means to get into a virtual machine or you can use signing as a means to make sure that the code being committed to your repository is who you expect it to be from so there you [Music] go let's talk about intransit versus at rest encryption so encryption and Transit this is data that is secure when moving between locations and the algorithms here are TLS and SSL then you have encryption at rest so this is data that is secure when residing on storage or within a database so we're looking at AES or RSA which we both covered previously these algorithms so ones that we did not cover was TLS and SSL so we'll cover them now so TLS transport layer security is an encryption protocol for data Integrity between two or more commun communicating Computer Applications so 1.0 and 1.1 are no longer used but TLS 1.2 and 1.3 is the current best practice then we have SS cell secure socket layers so an encrypted protocol for data Integrity between two or more communicating uh Computer Applications so 1.0 2.0 and 3.0 are deprecated um and honestly I always get these two mixed up and I always fig fig uh uh get confused which is being used but um you know they're always changing on us but just understand generally what these concepts are and that you're familiar with the terms [Music] okay hey this is Andrew Brown for exampro and we are taking a look at common compliance programs so these are a set of internal policies and procedures for a company to comply with laws rules and regulations or to uphold business reputation so here we have a bunch of different compliance programs and so some popular ones are like Hippa or um PCI DSS the question is should you know these yes you should generally know the most popular ones because you're going to see them throughout your Cloud career um and so just getting familiar now is a good time uh so let's jump into it okay so the first one I want to introduce you to is for I ISO and they have a bunch of different ones so ISO is the international organization of standardization and there uh other one called IEC which is the international electrotechnical commission One deals with uh you know like uh virtual things the other one deals with Hardware things but they have a lot of overlapping um compliance programs okay and so the most popular absolutely most popular one that I know of is the 27100 I know a lot of organizations that are going for the 271 this is for control implementation guidance you have the 277 this is enhanced focus on cloud security the 27018 this is protection of personal data in the cloud then you have the 2771 this is Privacy Information Management System so pims framework this outlines controls and processes to manage data privacy and protect pii so that's personally identifi information then you have system and organization control sock and this is a very popular thing that organizations go for especially the sock 2 so sock one is 18 standards and report on the effectiveness of internal controls at the service organization relevant to the client's internal control over financial reporting we have sock 2 evaluates internal controls policies and procedures that directly relate to the security of the system at a service organization and sock three a report based on the trust uh service Services criteria that can be freely distributed then we have PCI DSS a set of security standards designed to ensure that all companies that accept process store and transmit credit card information maintains in a secure environment we have a federal information procedure standards or fips so 140 hyphen 2 This Is Us and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information then we have uh phipa this is more relevant to me because I'm actually in Ontario in Canada but it's also very uh wellknown um uh went out there outside of HIPPA so this regulates patient protected health information then you actually have Hippa this is the US federal law that regulates patient procedure health information then we have uh Cloud security Alliance so CSA star certification independent third-party assessment of a cloud provider security posture if you've never heard of CSA they have a very uh well-known fundamental uh security certification called the cssk or ccsk I always get that that mixed up then we have uh fed ramp which we covered earlier in this course or in the future depending on where we put it but um fed ramp stands for federal risk and authorization Management program it's a US Government standardization approach to security authorizations for cloud service offerings if you want to work with the US government or places that sell the US government you need fed ramp that similar to criminal justice Information Services any US state or local agency that wants to access the FBI's cgis database is required to adhere to the C GIS security policy then we have gdpr uh the general data protection regulation everyone knows what this is in Europe maybe not so much in North America or other places a European Privacy Law imposes new rules on companies governments agencies nonprofits and other organizations that offer goods and services to people in the European Union or that collect analyze data triy tied to EU residents there's a lot of compliance programs out there one that's also very popular is fips but we'll get to that when we talk about camp Ms um but yeah there you [Music] go so I just wanted to quickly show you here the adus compliance programs page where they list out all the types of compliance programs that adus is uh working with and that it has different types of certification and attestment which we can use itus artifact or Amazon artifact whichever prefix they decide to use for the name there um to uh ensure that it was has in order to meet those regulatory compliance so you can see them all there and if you want to know a little bit more about any of these you just go ahead and click them and you can read and they have additional information so you have a better idea [Music] okay let's talk about pen testing so pen testing is an authorized simulated Cyber attack on a computer system performed to evaluate the security of the system and on AWS you are allowed to perform uh pen testing but um there are some restrictions so permitted services are ec2 instances KN gateways elbs RDS so that's relational database service cloudfront Aurora API gateways Lambda Lambda Edge functions light cell resources elastic beanock environments things you cannot do or you should not be doing is DNS Zone walking via row 53 hosted zones then there's dos simulation testing so you should not be doing do or dos doses or simulated Doss or simulated doses okay and that doesn't mean that you can't necessarily do them uh again there's a lot of exceptions to the pen testing they have a whole page on this but generally you're not allowed to do dsing uh Port flooding protocol flooding request flooding can't do any of those things for other simulated events you need to submit a request to bus a reply could take up to seven days uh you know again there's a lot of uh uh little intricacies here so you'd have to really read up on it if you're interested in doing this okay hey this is Andrew Brown from exam Pro and we are taking a look at pen testing on the adus platform so they have this page here that tells you what you're allowed to do what you're not allowed to do um and there's some additional things you can read into like the stress test policy the Dos simulate simulation testing policy which I didn't cover in detail uh in the course content but if for whatever reason you're interested in it I just want you to be aware of that kind of stuff if you want to simulate events there is a simulate events form that you have to fill out so you open it up up and you can kind of read about it and it gives ad us a heads up of what you're going to be doing stress test fishing malware analysis other so that way that if you are doing it you're not going to get in trouble they're aware of what you are doing okay so that's pretty much [Music] it hey this is Andrew Brown from exam Pro and we are taking a look at itus artifact which is a self serve portal for ond demand access to adus compliance reports so here's an example of a a bunch of different compliance reports that adus could be meeting and the idea is that when you go to this portal within the adus Management console you'll have a huge list of reports that you can go and access so here I'm searching for Canada to get the government of Canada partner package and then I go ahead and I download that report as a PDF and then within the PDF we can click a link to get the downloadable Excel and that's pretty much what it is it's just if you want to see that databus is being compliant for different programs hey this is Andrew Brown from exam Pro and we're going to take a look at Aus artifact so in the top here we're going to type in artifact and not be confused with code artifact which I guess is a new service there's just always releasing new Services e and so here we have a video and some things but uh it's not too hard all we got to do is go to view reports and from here we have all the types of compliance programs or Regulatory Compliance programs that ads is uh meeting and we can do is search for something so we type in Canada and that's the government of Canada partner package and I can go ahead and download that report so when you download it you really want to open this up in um you're going to really want to open this up in um uh Adobe Acrobat because if you don't open up an Adobe Acrobat you're not going to be able to access the downloadblack reader and once to have it open and I'm just moving it over here this is what you're going to see and um it's going to say like hey um oops no I don't want to do that so please scroll to the next page to view the artifact download and so I think that if we go here you know they say scroll to the next page but I'm pretty sure we can just go here on the left hand side and this is what we're looking for that Excel spreadsheet so we're going to save that attachment or actually we just going to open it up open this file okay and we'll give it a moment I have Excel installed and there we go there it is okay so I know it's a little bit odd way to get to those um certificates or reports but that's just how it works um but yeah I mean that's the idea is like if you need to prove that ABS is meeting whatever those standards are you can just type them in whatever it is I maybe there like fed ramp right whatever it is and download those certificate attestment whatever um and just double check that ads is Meeting those standards [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at AIS inspector but before we can answer what it does let's talk about hardening so hardening is the act of eliminating as many security risks as possible hardening is common for virtual machines where you run a collection of C Security checks known as a security Benchmark so abis inspector runs a security Benchmark against specific spefic ec2 instances and you can run a variety of security benchmarks and you can perform Network and host assessments and so here's an example of those two check boxes there which you'd say which assessments you want to do so the idea is you have to install the edus agent on your ec2 instance you run an assessment for your assessment Target you review your findings and remediate security issues and one very popular Benchmark you can run is the CIS which has 699 checks so if you don't know what CIS it stands for the center of Internet Security uh and so they are this organization that has a bunch of um uh security controls or check marks uh that are published that they suggest that you should check on your [Music] machine hey this is Andrew Brown from exam PR and we're looking at dos so dos is a type of malicious attack to disrupt normal traffic by flooding a website with a large amount of fake traffic so the idea is we have an attacker and the victim the victim is us and it could be our virtual machines our cloud services the idea is that it's some kind of uh resource which um can take in uh incoming requests over the Internet so the idea is the attacker is utilizing the internet and so they may control a bunch of uh virtual machines or servers that are loaded up with malicious software and the idea is that the attacker is going to tell them all to send a flood of traffic over the Internet uh at your uh Computing resource and uh this is where your website is going to either start to stall or it's going to become unavailable for your users and so the idea here is that you know if you want to protect against CS you need some kind of Dos protection traditionally those used to be like third party services that you uh would have to pay for and and it would sit in front of uh your load balancer or your uh end server but now the great thing with cloud service providers is that generally their networks have built in DOS protection so the idea is just by having your compute or your resources on AWS you're going to get uh built-in protection for free via ad shield and we'll talk about that [Music] next hey this is Andrew Brown from exam Pro and we are taking a look at it Shield which is a managed dos Protection Service that safeguards applications running on AWS so when you route your traffic through R 53 or cloudfront you are using a shield standard so here's a diagram to kind of show you that it's not just those services but these are the most common ones where you'll have a point of entry into AWS so here we could also be including elastic IP it Global accelerator but the idea is that when you uh go through these Services into the Aus Network it has Shield built in and so you're going to get that protection before those uh before that traffic reaches your uh cloud services and in this case we're showing uh ec2 instances so ad Shield protects against layers three four and seven attacks uh layer three four and seven is based off the The OSI model which is a um a fundamental networking concept so seven is for the application layer four is the transport Layer Three is the network layer um there are two different types of plans for you to Shield we have Shield standard which is free and then Shield Advance which starts at 3,000 USD per year plus some additional uh costs based on usage of the size of the tack or what services you're using how much traffic is moving in and out so protection against the most common dos attacks is what Shield standard does uh you have access to tools and best practices to build dos resiling architecture it's automatically available on all services for additional protection against larger and more sophisticated attacks that's where Shield Advance comes into play it's available for specific adus services so R 53 cloudfront elb adus Global accelerator elastic IP uh and some notable features here is visibility reporting on layer three four and seven you're only going to get seven if you are using idwa with it uh you have access to team and support so these are DOs experts but you're only going to get it if you're paying for business or Enterprise support as you're paying for this as well uh you also get dodos cost protection just ensure that you know your bills don't go crazy uh and it comes with an SLA so you have a guarantee that it's going to work both plants integrate with itless web application firewall so w to give you that layer set application protection so understand that if you're not using Waf you're not going to be having that layer 7 protection [Music] okay hey this is Andre Brown from exam Pro and we are looking at Amazon guard Duty so before we look at that we need to understand what is an IDs IPS so an intrusion detection system and intrusion protection system is used as a device or software application that monitors and network or systems for malicious activity or policy violations so guard duty is a threat detection service which is IDs IPS that continuously monitors for malicious and suspicious activity and unauthorized Behavior it uses machine learning to analyze the following adus logs your cloud trail logs your VPC flow logs your DNS logs and what it will do is report back to you and say hey um there's this issue here and this is actually one that's very easy to replicate it's just saying somebody is using the root credentials and it's suggesting that you should not be doing that right because you're never supposed to be uh invoking API calls with the root credentials or you should be limiting that you'll might also notice that if you want to investigate you can kind of follow up that with uh Amazon detective or adus detective whichever uh prefix they decided to put on that service it will alert you of findings which you can automate an incident uh response via cloudwatch events which this uh it's been renamed to event Bridge so you know or third party service services so you can follow up a remediation action um and here is a graphic of Amazon guard Duty just a bit up closer so you can see all the findings and you can just see you have a lot of detailed information there [Music] okay hey this is Andre Brown from exam Pro and we're going to take a look at guard Duty so guard duty is um an intrusion protection and detection uh service and so what I've done is I've um I've done some bad practices purposely so that I can show you um some information in there so I'm going to go over to guard Duty okay and you do have to turn guard Duty on and so once guard duty is on you're going to start getting reports coming in so notice here that we have some anomalous Behavior 8 days ago and so uh that's B he's uh my co-founder he's also named Andrew as well and so we can kind of see some details here about who's accessing what and what they were doing he's not doing anything malicious but we can have an idea where they're from even shows generally where he is which he is near Thunder Bay and his his provider would be TB um and you can see that he is making uh API calls to describe account attributes and things like that then the other issue is the root account so there's MFA I turned it off so that we can or maybe this just usage here I actually do have it turned on I suppose here we see root credential usage and so it's saying hey you used it 77 times because sometimes I go in and and use uh the root account for tutorials but saying you're using this way too much you got stop doing that okay so that's something that is uh pretty interesting with guard Duty um and it's really cost effective and easy to turn on so you can turn it on looks like they have a new thing for S3 um have not looked at that as of yet but that's kind of cool kind of feels like that would overlap with uh Amazon Macy but whatever and here we get a breakdown of cost so we see cloud trail VPC flow logs DS logs and this is where it would be ingesting data if you want to use that S3 protection you'd have to probably be turning or creating a custom cloudwatch Trail that has data events to consume that information um you know so you know hopefully that gives you kind of an idea of things you can do and you can also centralize guard Duty uh into one account so you can have one thing that takes care of everything and and move all the data across all your accounts into a single place so that's kind of interesting and you can set up follow follow-ups um it's possible that uh I'm not see in this this here but generally it would show you uh it would show show you a way of like triggering into Cloud watch probably you can do it pragmatically this is something interesting like the list management you can add trusted IPS or threat list so if there's people that you know are fine you can just Whit list them or if there's people that you know that are bad make sure that they are never allowed to get through so that's pretty much it with guard Duty [Music] okay let's take a look here at Amazon Macy so Macy is a fully managed service that continuously monitors S3 data access activity for anomalies and generates detailed alerts when it detects risks of unauthorized access or inadvertent data leaks so Macy works by using machine learning to analyze your cloud trail logs and Macy has a variety of alerts so we have anomaly access config compliance credential loss data compliance file hosting identity numeration information loss um location anomaly open permissions privilege escalation ransomware service disruption suspicious access andac will identify your most at risk users which could lead to compromise so here's just one little kind of uh tidbit from the um app itself where you have the total users and they categorize them into different uh risks I can't remember which flag means what in here uh Amazon Macy is an okay Service uh it's it's very important if you're storing things in S3 but uh I don't I don't use it very often to be [Music] honest hey this is Andie Brown from exam Pro and we are taking a look at adus virtual private Network also known as VPN so adus VPN lets you establish a secure and private tunnel from your network or device to the itus global Network it's very important to emphasize the word secure here uh because when you're using Direct Connect that will establish a private connection but it's not using any kind of protocol to secure that data in transit whereas a VPN will be using a secure protocol there are two options here we have itus sight to site VPN so securely connect on premise Network or branch office site to VPC and itus cvpn that securely connect users to adabs or on premises networks one thing that we need to understand alongside vpns is IPC this stands for Internet Protocol security and is a secure network protocol Suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over Internet Protocol Network and it is used in vpns and Abus definitely uses it [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at Abus web application firewall also known as WF which protects you uh protects your web application from common web exploits so the idea here is you write your own rules to allow or deny traffic based on the contents of an HTP requests you use a rol set from a trusted Abus security partner in the Abus Waf rule Marketplace Waf can be attached to either cloudfront or an application load balancer so here is that diagram the idea is you see cloudfront with the Waf or ALB with the WAFF and what it does is it can protect uh web applications from attacks covered and the OAS 10 uh top 10 most dangerous attacks if you don't know OAS they're the open web application security project and they basically have all these uh security projects which are things to say hey these are things that you should commonly protect against or they might have like example applications that uh serve as a means to learn security so when we look at the top 10 it's injection broken authentication sensitive data exposure XML external entities so xxe broken Access Control security misconfigurations cross-site scripting so xss uh insecure deserialization using components with known vulnerabilities and insufficient logging and monitoring so there you [Music] go hey this is Andrew Brown from exam Pro and we are going to take a quick look at adus web application firewall also known as WF and so um in this account I happen to have a Waf running uh so we don't have to create one uh we already have something we can take a look here so I'm going to go to Waf and shield and then on the left hand side you'll notice it's a global Service but on the left hand side we're going to be looking for our web acl's and so the idea is that when you want a w you create a web ACL and then within within that web ACL you have uh the overview and then you have it can kind of show you kind of the traffic that's going on here we can have our rules and so um there's a lot of different kind of manage rule groups that you can use so these are ones that are provided by AWS so and a lot of these some of these can be paid some of these are free so you see there's these free rule groups where you're like hey hey I don't want any nominus IPS you checkbox that on you know or I want to protect against SQL injection now the interesting thing is that abis has this capacity unit so um you can't add all of these you can add a certain amount of capacity before you have to um um uh pay for more or something like that it's just kind of a way to um uh kind of cap the amount of stuff that you can put in in terms of rules um but there's a lot of other um rule groups from third party services like security companies that know what they're doing so if you like Fort Net's OS top 10 you can uh subscribe to that in the marketplace and be able to use it but uh yeah so that's how you apply rules there's something called bot control I've never used this before get real-time visibility into bot activity on your resource and controllers what Bots allow and block from your resources that sounds really cool I cannot stand bots so I might turn that on myself or take a look at the cost there and see what we can find out but that's pretty much it with WAFF um one thing I would say is that you can block out specific IP addresses or Whit list specific IP addresses and you might do that through rules I'm just going to see yeah like maybe the bypass here and so these IP addresses are some of our um Cloud support Engineers where they're using our admid panel and um uh WF is being too aggressive in terms of protection and so sometimes you have to uh say hey allow this IP address and let my um you know let my cloud support engineer be able to use the mid panel because they're not malicious okay so that's one little exception there but that's pretty much it [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at Hardware security modules also known as HSM and it's a piece of Hardware designed to store encryption keys and it holds keys in memory and never writes on the dis so the idea is that if the HSM was shut down uh that key would be gone and that would be a guarantee of protection because nobody could you know take the drive and steal it so here is an example of an HSM uh these are extremely expensive so you definitely don't want to have to buy them yourselves uh they generally follow fips so fips is the federal information processing standard so it's a us and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information fips is something you want to definitely remember um and there are two different um protocols here there's actually a bunch of different uh fips versions but we have fips 142 level two and then fips 143 level three so let's talk about the difference here so hsms that are multi tenant are going to be using fips 142 hyphen 2 level two compliant where you have multiple customers virtually isolated on the HSM and then there are hsms that are single tenant and so they're going to be utilizing fips 140 hyphen to level three compliant so a single customer on a dedicated HSM and so the reason why we have these two levels is that when you have multiple tenants you can say all right this thing is uh has temperate evidence evence so we can see that somebody was trying to break into it but there's no guarantee of uh T it being tamper proof where level three is tamper proof there's also uh fips 140 hyphen 3 which is the new uh the newer um standard but not all uh Cloud resources uh can meet that standard just because of how they offer the service uh so again fips 142 is really good but just understand that there are other ones out there and it's very easy to get fips 142 level three mixed up with pips 140 hyphen 3 something that I always had um a hard time remembering the distinguishing between those two so for multi-tenant this is where we're using adus Key Management Service and for single tenant we're using adus Cloud HSM and the only time you're really using Cloud HSM is if you're a large Enterprise and you need that Regulatory Compliance of getting fips 14052 Level 3 [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at Key Management Service also known as KMS and it is a managed service that makes it easy for you to create and control the encryption Keys you use to encrypt your data so KMS is a multi-tenant HSM so it's a Hardware security module and many adaba services are integrated to use KMS to encrypt your data with a simple checkbox and K KMS uses envelope encryption so here's that example of a simple checkbox in this case it's for RDS and what you'll do is choose a master key A lot of times ads will have a default for uh key for you that's managed by them that is free to use which is really great uh so for KMS it's using envelope encryption so when you encrypt your data your data is protected but you have to protect your encryption key when you encrypt your data key with a master key as an additional layer of security so that's how it works so just to make this really clear I have my data I use this key to encrypt this data and now I need to protect this key so I use another key to encrypt uh this key which forms an envelope and then I store this uh master key in KMS and this one's considered the data key all [Music] right hey this is Andrew Brown from exam Pro and we're going to take a look at Key Management Service also known as KMS so type in KMS on the top here and we'll pop over here and KMS is a way for you to create your own keys or you can use adus manage keys so up here and not all these appear right away but as you use Services um you will it us will generate out manage keys for you and these are free you can uh create your own Keys um and these cost a dollar each so if I go ahead here and create a key I can choose whether it's symmetric or asymmetric which we definitely learned in the course which is nice for asymmetric you can make it encrypt and decrypt sign and verify and they're just kind of narrowing down the type of key would use um for this you know if I went to symmetric I go here I'm just kind of seeing if if I can enter the uh actual material into the key here um so I'm just going to keep clicking through here U my custom key generally you don't really need to do this but um you know if it's interesting you can set up administrators to say who's allowed to administer the key and then you have someone that um is allowed to use the key and you usually want to keep those two accounts separate you don't want to have the same person administrating and using the key okay keep those two separate and so we would have a key policy so you can change this to say the rule tools that is allowed to use um and then we can go here and hit finish and so there we now have our own custom key and one thing we can do is it's possible to rotate out these Keys when you need to be um but anyway when we want to use CS it's built into basically everything and we've seen it multiple times throughout this course when we gone over to ec2 we'll just go take a peek at a few different places here so when we've gone to go launch an ec2 instance and we go over to uh storage so we say select and review or next and we go over to storage notice that here this is using encryption right so I can choose that or even my custom key if you're in Dynamo DB or anywhere else it's always something like a checkbox and you choose your key so that's pretty much all there really is to KMS it's very easy to use and there you [Music] go hey this is Andrew Brown from exam Pro and we are going to take a look here at Cloud HSM it is a single tenant uh HSM as a service that automates Hardware provisioning software patching High availability and backups so here's the idea is that you have your ads Cloud HSM you have your developers interacting with it your application interacting with it you have an HSM client installed in your uh ec2 instance so that it can access uh the cloud HSM keys so adus Cloud HSM enables you to generate and use your encryption keys on fips 140 hyphen 2 level 3 validated Hardware it's built on open HSM industry standards to integrate with things like PK uh cs1 Java cryptography uh extension so jce Microsoft crypto and G libraries you can transfer your keys to other commercial commercial HSM Solutions to make it easy for you to migrate keys on or off AWS configure a KMS to use ads Cloud HSM uh cluster as a custom uh key store rather than the default KMS key store uh so Cloud HSM is way more expensive than KMS KMS is like free or a dollar per key where Cloud HSM is a fixed cost per month because you are getting a dedicated piece of Hardware um and there's not a lot of stuff around it so other than the ad KMS integration a lot of times it can be really hard to use this as well so the only time you're really going to be using Cloud HSM is if you're an ENT prise and you need to meet fips 140 hyphen 2 level three compliancy [Music] okay hey this is Andrew Brown from exam Pro and we are taking a look at know your initialism so a lot of AD services and Concepts and Cloud Technologies use initialisms to just kind of shorten uh common things that we need to use on a frequent basis and it's going to really help if you learn these because then what you can do is substitute them when you are uh seeing a service name or something particular and that's going to get you through content a lot faster um and in the wild you're going to see these all over the place because people aren't going to say the full name they're going to say the initialism so let's go through them so for I am it's identity and access management for S3 that's simple storage for S swf it's uh swf that's simple workflow service SNS is simple notification service sqs is simple Q service SCS is simple email service SSM is simple systems manager but uh you know when we see the name it's usually just systems manager but we still use the uh initialism SSM then there's RDS relational database service VPC virtual private Cloud VPN virtual private Network CFN cloud formation WF web application firewall and that is a very common initialism not just adabs but outside of it as well mq for Amazon active m Q ASG for Autos scaling groups Tam for technical account manager elb for elastic load bouncer ALB for the application load bouncer NLB for the network load bouncer G wlb for the Gateway load balcer clb for the classic load bouncer ec2 for elastic cloud or Cloud compute ECS for elastic container service ECR for elastic container repository EBS for elastic block storage EMR for elastic map produce EFS for elastic FAL store EB or EB for elastic beant stock es for elastic search eks for elastic kuber netti service msk for managed kofka service and if you think I got the SNK backwards I did not for whatever reason it's mskk uh then uh there's abis resource manager which is known as RAM ACM for Amazon certificate manager Pol for principal of lease privilege which is a concept not a service iot internet of things this is not a service but is a Tech concept or Cloud concept RI for reserved instances and I'm sure there are more but these are the ones that I know off the top of my head uh and they're in my uh usual use case uh for what I'm doing dayto day but a lot of times you'll probably just end up needing to remember ASG elb um ec2 S3 things like that [Music] okay all right let's compare adus config and app config which both have config in the name but there are two completely different services so adus config and app config so Adis config is a governance tool for compliance as code you can create rules that will check to see if resources are configured the way you expect them to be if a resource drifts from the expected configuration you are notified or adus config can auto remediate correct the configuration back to the expected state for app config it is used to automate the process of deploying application configuration variable changes to your web application you can write a valid Val Ator to ensure the changed variable will not break your web app uh you can monitor deployments and automate Integrations to catch errors or roll backs so config is for compliance governance app config is for conf application configur configuration variables so there you [Music] go let us take a look at SNS versus sqs and uh these things have something in common and it's they both connect apps via messages uh so they're for application integration so let's take a look at SNS so simple notification service and then simple Q service okay so SNS is intended to pass along messages via a pub sub model whereas sqs cues up messages and has a guaranteed delivery so the idea with SNS you send notifications to subscribers of topics via multiple protocols so it could be H HTTP email sqs smns and SNS is generally used for sending plain text emails which is triggered via other adab services the best example here is billing alarms I know we mentioned this but I like to repeat it so that you absolutely know uh it can retry sending in the case of failur of https so it does have a retry attempt but that doesn't mean there's a guarantee of delivery it's really good for web hooks simple internal emails triggering Lambda functions if you had to compare these to thirdparty Services it's similar to Pusher or uh pubnub so sqs is uh the idea here is that messages are placed into a queue applications pull the queue using the itus SDK you can uh uh retain a message for up to 14 days you can send them in sequential order sequential order or in parallel you can ensure only one message is sent you can ensure messages are delivered at least once it's really good for delayed task queuing up emails um comparable uh stuff would be something like rabbit mq or uh Ruby on Rails sidekick [Music] okay hey this is Andy Brown from exam Pro and we're doing variation study with SNS versus SC versus pinpoint versus workmail and so SNS and SCS get confused quite often but all of these Services uh have something in common they all send emails but uh the utility of email is completely different for each one so the first one is simple notification service is for practical and internal emails so you send notifications to subscribers of topics via multiple protocols so it's not just for email it can handle HTTP it can send sqs it can send SNS me or SMS messages so um messages to your phone um but uh it does send emails and so SNS is generally used for sending plain text emails which is triggered via other a Services the best example of this is a building alarm so most exam questions are going to be talking about SNS because lots of services can trigger um SNS for notifications and so that's the idea it's like oh um you know did somebody spend server send off an email through via SNS uh did we spend too much money here you know all sorts of things can go through SNS to send out emails and you need to know what are topics and subscriptions regarding SNS then you have sces so simple email service and this is for transactional emails and when I say transactional emails I'm talking about emails that should be triggered based on inapp action so sign up reset password invoices um so a cloud-based email service that is similar to this would be like send grid sces sends HTML emails uh SNS cannot so that is the distinction is that SCS can do HTML and pl text but SNS just do does plain text and you would not use SNS for transactional emails SCS can receive inbound emails uh SCS uh can create email templates custom uh domain name emails so when you use SNS it's whatever Amazon gives you it's going to be some weird address but sces is whatever custom domain you want you can also monitor your email reputation for SCS then you have Amazon pinpoint and so this is for promotional emails so these uh when we say promotional we're talking about emails for marketing so you can create email campaigns you can segment your contacts you can create customer Journeys via emails um it can do a Tob email testing and so sces and pinpoint get mixed up because a lot of people think well can I just use my transaction emails for promotion emails absolutely you can it's not recommended because um you know pinpoint has a lot more functionality around promotional emails they're built differently uh and so you know just understand that those two have overlapping responsibilities but generally you should use them for what they're for then you have Amazon workmail and this is just an email web client so it's similar to Gmail or Outlook you can create company emails read write and send emails from a web client within the adus Management console so there you [Music] go let us compare Amazon inspector versus adus trusted advisor so both of these are security tools and they both perform audits but what they do is slightly different so Amazon inspector audits a single ec2 instance that you've selected or I suppose you could select a multiple e2s it generates a report from a long list of Security checks um and so trusted advisor has checks but uh the the key difference here is that it doesn't generate out a PDF report though I'm sure you could export CSV data if you wanted to and then then turn that into a report uh it it gives you a holistic view of recommendations across multiple services and best practices so for example if you have an open port on the security groups I can tell you about about that you should enable MFA on your root account when using trusted adviser things like that um one thing though is that trust advisor isn't just for security does checks across um uh five different things um but they both do security and they both technically do checks okay so there are a few services that have connected the name you'd think they' be related in some way but they absolutely are not and they don't even have similar functionality but let's take a look here so we know the difference the first is direct connect it is a dedicated fiber optics connection from your data center DWS it's intended for large Enterprises with their own Data Center and they need an insanely fast and private connection directly uh to AWS and you'll notice they give private and enthesis because if you need a secure connection you need to apply uh an adus virtual private network connection on top of direct connect then you have Amazon connect this is a call center as a service get a toll-free number accept inbound and outbound calls set up automated phone systems uh so if you ever heard of an interactive voice system at IVs this is basically what Amazon connect is you have media connect this is the new version of elastic trans coder it it converts videos to different video types so if you have let's say a th videos you need to transcode them into different video formats maybe you need to apply watermarks insert introduction videos in in front of each one uh this is what you use media connect for [Music] okay just in case you see elastic transcoder as an option I just want you to know what it is compar it to Media connect so both these services are used for transcoding and technically elastic transcoder is the old way and it us Elemental media convert or just media convert is the new way so elastic transcoder was the original transcoding service it may still have promatic apis or workflows not available in media convert so this could be reasons why we see Legacy customers still using it or you know it's just too much effort for them to uh upgrade to the new one it transcodes videos to streaming formats uh media convert is more robust transcoding service that can perform various operations during transcoding so it also transcodes videos to streaming different streaming formats but it overlays images it inserts uh video clips extracts captions data it has a robust UI so generally it's recommended to use the uh media convert terms of costs are basically the same so there's no reason not to use media convert [Music] okay so itus artifact versus Amazon inspector get commonly mixed up all the time but both artifact inspector compile out PDF reports so that's where the confusion comes from but let's talk about what is different about the reports so abis artifact and Abus inspector so for artifact you're answering why should an Enterprise trust AWS it generates a security report that's based on global compliance framework such as sock or PCI or a variety of others where Amazon inspector is all about how do we know this ec2 instance is secure can you prove it so it runs a script that analyzes your ec2 instance then generates a PDF report telling you which Security checks had passed um so the idea here is it's an audit tool for security of ec2 instances so there you [Music] go so let us compare elb versus ALB versus lb versus J wlb versus clb uh because you know when I was first learning AWS I was getting confused because there was elastic load balcer but there was these other ones so what gives right so what's happening here is that there is a main service called elastic load balcer elb and it has four different types of possible load balcers so we'll go through all the types so the first is application load balcer commonly uh initialized as ALB and so this operates on layer 7 for htps this makes sense because that is the application layer and it has some special powers in terms of routing rules so the idea here is you can create rules to change routing based on information found within the htps request so let's say you wanted some uh routes to go that have a particular subdomain to this server and a different subdomain to another one you could do that and because it is an application load balancer uh you can attach a web application firewall for protection you can attach on the NLB or other ones because they're not application based so that is just a little caveat there then you have Network load bouncer uh commonly abbreviated to NLB this operates on layer three and four so we're talking TCP UDP this is great for when you have Extreme Performance that that requires T TCP and TLS traffic it's capable of handling millions of requests per seconds uh while maintaining ultra low latency it's optimized for sudden and volatile traffic patterns while using a single St static IP address per availability Zone uh if you're making video games this is what they like to use is the network load balcer but it has other utilities outside of that then you have Gateway load bouncer G wlb this is when you need to deploy a fleet of third-party virtual appliances that support uh I don't know how to say that in abbreviation but I'll just uh say it's GE NE v um and there's not much we need to know outside of that okay then there is the classic load balancer uh commonly initializes C B this operates on layer 3 4 and 7 it's intended for applications that were built within the ec2 classic Network it doesn't support Target groups so albs nlbs uh use Target groups which is just an easier way of grouping together um a bunch of uh Target resources like compute uh that we're going to load balance to and with classic load balcer you just directly assign ec2 instances uh and it's going to be retired on August 15th of 2022 so yeah it looks like it can do a lot of stuff but um it also doesn't have any of the superpowers of these specialized ones and so there's no reason to keep it around and generally you should not be using it um and so yeah that's about it